Remarks by Brad Smith, Microsoft Senior Vice President, General Counsel
Law Enforcement Technology Conference 2008
April 28, 2008
SUSAN COPE: Thanks, Jason. I’m Susan Cope, and I’m the Senior Director of the Global Criminal Compliance Program, which is part of the Online Services Security and Compliance Group, the Security group for all of Microsoft’s online services. And we are delighted to be co-hosting the conference with our strong LCA partner. And I also have the honor today of introducing a man who almost needs no introduction, our Senior Vice President and General Counsel Brad Smith.
Brad leads the Legal and Corporate Affairs Group at Microsoft, and is responsible for all the legal work at Microsoft in addition to community, industry and government affairs. Brad has been fundamental in building this very strong partnership that Microsoft has with law enforcement. So, I’m delighted to introduce Brad. (Applause.)
BRAD SMITH: Thanks, Susan. If you don’t mind if there’s a bottle of water that somebody might bring up, I may need it before this is done. But thank you to Jason, and thank you to Susan, and most importantly thank you to all of you for coming, in some cases from across Washington, in most cases from around the world. So let me be the first person to welcome you to spring time in Seattle. Some years this starts in February and lasts until August, but it’s always worth it because every year both days of summer are really, really nice. So you’re seeing a typical day here, at least in terms of weather, but it’s far from typical, I believe, in terms of what we have the opportunity to accomplish this morning, and throughout this week, because this for us at Microsoft is truly an important conference, it’s an important milestone. We felt that the first conference in 2006 was a major step forward, even more than we first thought it might be, not just in getting people together, but in developing new ideas that translated into new steps that we believe have made a difference around the world. This week is an opportunity for us to build on that progress and take another significant step forward.
The reality is that technology is changing the world. The Internet is changing the lives of people. It’s changing how they interact. In a lot of ways, this is nothing new. Technology has been changing the world for well over two centuries, in good ways, and unfortunately in bad ways as well. People created the mail, and criminals invented mail fraud. In the 1800s, inventors created the telegraph, and criminals invented wire fraud. Every technology that has ever been invented has been used for good ways and bad. And it’s a fundamental purpose that those of you whose jobs are focused on keeping the world safe, and those of us who create this new technology have the opportunity to work together. I think it’s interesting to put some of what we’re seeing today in context.
In effect, the Web is creating new digital cities, if you will, cities that consist of communities that come from people around the world. In some ways, it’s a little bit analogous to the first creation of major industrial cities that arose early in the industrial revolution. By 1830, London had become the world’s most populous city. It had become a city of three million people. And for the three million people who lived there, there were great benefits for moving to London. There were new opportunities to interact with people, to seek employment, get economies of scale, promote culture, lots of things that attracted people to move there. And yet there were new challenges as well. People previously had lived in a world where they knew their neighbors. It was difficult for people to be anonymous in a small town. And yet for most people anonymity is an everyday fact of life, you just don’t know who is walking up or down on a street. And that new anonymity, the interaction that brought people together, the lack of new social norms in London in the early 1800s led to an increase in crime.
Between 1790 and 1820 in London, the murder rate grew by 140 percent, and the rate of thefts tripled. And so then, as today, people had to grapple with all of the positive and negative impacts of social change. Certainly we are seeing profound change on the Internet. We navigated through a first episode of that change as we went from a PC-centric world to an interconnected world between the late ’90s and the early part of this decade. It’s what people in hindsight called Web 1.0. And we all benefited from the ability to access content from around the world. We also saw some of the new problems it created. We saw the invention, literally, not only of new techniques of criminal activity, but new words in our vocabulary. Spam became something other than a brand of ham. Phishing became something that you didn’t need a boat to engage in. And we had to respond together to address it. Those problems are still with us, and we need to keep making progress to address them. At the same time, however, the Web is continuing to move on. Today we live in what’s called a Web 2.0 world, a new kind of Internet activity. And if you think about Web 2.0, I think it’s characterized, more than anything else, by a lot more interactivity. Whereas in Web 1.0, we accessed content that was traditionally provided from, say, a trusted news source, a company that might already be a household name; in Web 2.0, we’re all creating content, and we’re all creating content in real-time. It may be on a site like a blog. It may be on a social networking site where lots of different people are interacting together, sometimes with people they know, sometimes with people they don’t know.
We’ve seen a lot of new tools created, new forms of software, new forms of Web technology designed to facilitate this. We’ve also seen a lot of new business models, and these new business models are having a profound impact on the nature of this interactivity. A lot of Web 1.0 sites were based on subscriptions, which meant that you knew who was coming to the site. In fact, oftentimes you even had a credit card, and an address for someone, so you really knew exactly who the person was. Web 2.0 is much more typically fueled by online advertising. And, of course, one of the keys to online advertising is that everybody is welcome, the more eyeballs, the bigger the audience, the more advertising one can sell. And that has made it possible for more and more people to come to a site many, many times in an anonymous way. And as these people interact in much greater proximity, there is now a proximity on the Internet that is a bit like the proximity one sees in a major urban city. All of these new forms of activity create lots of new benefits, and people enjoy those benefits every day, whether it’s sharing information about themselves, or connecting with people who have a common interest, or learning new things about what other people are doing down the street, or halfway around the world. And yet, as with every prior form of technology, it is creating new challenges as well.
If there is one central focus, I think, of this three-day conference, it’s the opportunity for us to talk together about what the Web 2.0 phenomenon means for criminal activity on the Internet. Certainly from our perspective it is leading to new forms of criminal activity. One reflection of this is basically in the area of Internet security, the need of people to keep their private information private. And yet in a Web 2.0 world, one often sees a Web site that, in fact, is providing content and sometimes even code from many different places to a user’s computer. If you really pay attention, as I’m sure many of you have, to what’s being downloaded onto your computer from a Web site, you may see that there is content from the original site, there’s an ad from DoubleClick, there may be code or content that’s being pulled from other Web sites as well. If an Internet site is not well-designed, if it’s not secure, that creates new vulnerabilities, not only for the site, but for everybody who uses it.
This is leading to, in effect, a mixture of Web 1.0 and Web 2.0 technologies as people create new sort of efforts to create backdoors, to drop code onto people’s PCs, and to keep those backdoors there, and then use other Web sites to send instructions to people’s machines. It’s also leading to new forms of phishing, if you will. As social networking sites increasingly involve conversations that are taking place in real-time. Sometimes it’s e-mail, increasingly it’s instant messaging, or other forms of blog posting, but whatever form it takes it creates a new opportunity for criminals to seek to infiltrate the community, if you will, to become part of the conversation, and to seek to persuade people to part with their personal information. So one of the things we’re seeing in this Web 2.0 world is a new set of threats to security on the Internet.
The other thing that we’re seeing is new threats to safety, to the safety of individuals, and perhaps most importantly the safety of children. With the increase in interaction, and the opportunity for people to try to befriend others, if you will, sometimes with this cloak of anonymity, or even a false identity, there are new threats to our kids as they use the Internet online. And the ultimate threat, of course, a threat that so many of you have been involved in addressing, is the threat that a criminal will seek to win a child’s confidence in cyberspace, and then meet them in real space, and turn that Internet interconnection into real criminal activity in the real world. Certainly child exploitation and child pornography is an increasing, and to some degree a different type of a problem as we see the rise of these Web 2.0 trends.
So a conference like this is a great opportunity for us to step back, compare notes as we all will over the next few days about what’s going on, but I think the most important thing for us after doing that is to ask ourselves one central question, how should we respond? How do we best ensure that we stay not only abreast of those engaging in criminal activity, but try to stay a step ahead? What is the recipe for our success in addressing this kind of problem? I think some of the recipe is an age-old recipe, it’s the recipe that worked in London in the early 1800s. It’s a recipe that called on the City of London to create its first uniform police force, and invest in law enforcement. It was a recipe that called for new forms of cooperation between the public and private sectors as the City of London, for example, invested not only in the police, but in the lighting of their streets through new gas lamps, they were able to light the city, and cut the rate of crime in half. Just as then, our challenge almost two centuries later, will be to stay broad-minded in our thinking, to be creative, to be multifaceted, and perhaps most importantly to find new ways to work together. That’s what this conference is all about.
As we’ve thought about these issues here at Microsoft, and certainly as we’ve worked with so many of you and your colleagues around the world, it seemed to us that the fundamental recipe as we move forward is to stay grounded in three principles. I would like to talk a little bit in the time I have left about each of these principles.
The first principle is the enormous importance of collaboration between the public and private sectors. We each have unique things that we do well, and what’s critical is that we find new ways to do what we each do well, and do them together in a way that makes each of us better as a result. Those of you in law enforcement have a unique role to play in the world, you’re entrusted by the public to keep all of us safe. You’re given the subpoena and other powers that are necessary to do that job. And yet, as you’ve often told us, you need our technical expertise and tools to help be successful.
It was a lesson that we first learned, certainly it was a lesson that I first learned, almost exactly three years ago, we had done some early work in Canada on the creation of what we call CETS, the Child Exploitation Tracking System. As many of you are probably aware, this is a technology tool that was first created in Canada, in Toronto, and in Montreal, to enable police officers to pool information and compare data points in investigating child exploitation on the Internet. Our Canadian subsidiary had made some important steps forward, and this was up and running in Canada, and it was starting to make a difference. About three years ago, a group came from Canada to meet with some of us at Microsoft, they came to make a plea for us to spend more money. I was the senior person who was asked to attend this meeting, and I think I probably felt a little bit the way we often do when we know someone is coming to ask us for money. I knew it was a worthy cause, but we had just finished doing our budgeting for the year, and I remember walking down the stairs to the conference room where this meeting was taking place thinking to myself, well, I guess I’m the one who has to go to this meeting and say no, because I went to the meeting thinking that we could not afford to make the substantial investment to take this project forward.
And I sat down in this room with some of my colleagues from Microsoft, and for the next half-hour I simply listened to what the police officers from Canada had to tell us. And more importantly, I looked at the pictures that they showed on the screen. The person who did the presentation said, I’m going to show you some things that are going to make you very uncomfortable. These are not the types of things you’re used to seeing, and they’re not the types of things that any of us enjoy seeing, but if you want to understand this problem, he said to me, you need to take a look with open eyes.
And for the next several minutes I saw image after image of children, sometimes infants, being abused in a manner that people were not just exploiting that individual, but using to propagate across the Internet. And although I had come to the meeting thinking that I couldn’t afford to say yes, I soon realized that we couldn’t possibly bear to say no. I concluded that we had to find some way to move forward and make a difference with the authorities in Canada. I think some of the folks who work for me figured this would happen.
So sure enough I said, look, I think I can come up with a million dollars from our legal budget, if maybe another part of the company can come up with another million dollars. And I went back to my office, and got on the phone with the head of the Windows division, and sure enough, he agreed. And we put together that $2 million to take CETS to the next stage.
The next stage of an investment that has now amounted to $10 million, $10 million that will never see a return on Microsoft’s P&L the way an investment in a product that we sell for money will, but it’s easily one of the best $10 million investments we ever made, because we’ve seen what people like you and your colleagues have done with it around he world, to make a difference, and rescue children. In the UK alone the use of this technology has led to the rescue of 138 kids, 138 lives that have been improved as a result. That’s what you all do every day. That’s what we have the opportunity to do together.
In 2006 when we had this conference it provided the opportunity for us to talk together about what needed to come next, how can we build on an example like CETS and do more good? The result is a tool that we brought to life and launched last June, a tool that we call COFEE. Now, those of you who come to Seattle are used to thinking about Seattle and coffee, but this is a different form of coffee, it fits on a USB drive, as I know many of you are aware. It stands for Computer Online Forensic Evidence Extractor. And it’s simply a USB drive that you can fit into a PC.
It’s the brainchild of one of our employees, which is what I think most of us love most about working at this company. Anthony Fung, who is somewhere in the audience, I know, this morning, used to be a police officer in Hong Kong. Anthony joined Microsoft four years ago, and became part of our Internet safety enforcement team. One of the things he recognized was the difficulty involved in extracting information from a computer, not just a computer hard drive, but also the connections between a computer and the Internet, live, in real time.
He recognized that using traditional tools, typically what someone needed to do was unplug the computer and take it back to the office. Now, of course, immediately that led to the loss of whatever Internet connection was in place. And, as he concluded, it often took up to four hours for somebody to get the information they needed. So really taking his passion around this idea, he conceived of, and designed this new program, a program that we like to think of as a Swiss Army knife, if you will, for law enforcement officers. It has 150 computer tools on it. It can be programmed to do all of the work automatically, in which case it can do what it needs to do in about 20 minutes, instead of four hours. But, we also designed it to be a platform, if you will, so you and your colleagues can customize it further if you would like. I know that in Germany that’s what law enforcement officers have done.
Even since last June, when we brought this to life, we’ve found it useful, and it’s being by 2,000 police officers in 15 countries, from Poland to the Philippines, from Germany to New Zealand, and here in the United States. We provide it free of charge, because we believe in the value that it creates for all of us, value that was demonstrated recently in a case in New Zealand, a case where a forensic examiner was able to take this, plug it into a computer, decrypt the password, and get at other data, and get the evidence needed to lead to the arrest of an individual involved in the trading of child pornography.
I hope that all of you who have come here from law enforcement this week will look at this, give it a try, and most importantly, tell us how we can make it better. What new ideas should come to life this week, so that when we get together a year, or two from now we have new tools and new success stories to which we can point.
We know that our work together, across the private and public sectors, needs to focus not only on the investigation of incidents, and tools to make that possible, we know that we also need to keep looking at trends more broadly, and sharing the information that we gather, so we can all make each other more effective. That has played a major role for us, for example, as we analyze trends over the last four or five years. One of the things we learned about, one of the things we saw, was the increase of these so-called bot-nets, the capture of server computers that were then used to send instructions to other computers across the Internet. And sharing this information, and identifying new tools has led to real progress.
I think one of the greatest examples also comes from Canada, in this case from Quebec, the so-called Operation Basique. And I believe that one of the officers who was involved in that is also in the audience today, from the Surete de Quebec. And I know that they, together with the Royal Canadian Mounted Police, were able to make a major impact in addressing these kinds of bot-net attacks. They identified 17 hackers that literally had taken control of almost a million computers in 140 computers (sic) around the world. They identified bot-nets that were being used to defraud consumers to the tune of at least $57 million.
It’s that kind of ability to look not only at specific incidents, and specific tools, but step back and make sure that we’re all taking account of the broad picture that will enable us to continue to move our collaboration forward. It is absolutely something that we as a company are committed to doing.
If the first principle that we need to focus on, however, is the focus on collaboration, there’s a second principle, as well, and this is very different from the London of early 1800s. Unfortunately, because of the nature of the Internet, Internet crime is a global phenomenon, as you all know, it respects no border. It moves from state to state, and country to country in a blink of an eye. And as a result, our collaboration and the partnership between law enforcement authorities needs to be global, as well.
This is why the work of an organization like Interpol is of such fundamental importance in the 21st Century. I think Interpol has made great strides in helping law enforcement, in providing feedback to those of us in the private sector and our collective participation with and through Interpol will be even more important in the years to come. We’re thrilled when we get to provide technology tools to Interpol. Interpol today is using one of our products, Microsoft Groove, technology that, like CETS (Child Exploitation Tracking System), enables individual officers in different organizations in law enforcement around the world to share and bring together information.
In one recent case, a child predator showed up unexpectedly last year in Asia, and literally within an hour, using Groove, and under the auspices of Interpol, officers from around the world were able to connect this individual in Asia with data, literally hundreds of megabytes of data, that resided in Europe. It’s that kind of global connection, and collaboration that is clearly needed to prosecute Internet crime in the world today.
We’ve seen it with CETS, as well. Last month I was in Australia, and one of the opportunities I had was to go to Parliament House in Canberra, where we launched with the Australian Federal Police CETS in Australia, the eighth country to make it a reality, 13 others are considering it.
So many of these technologies have enormous economies of scale, the more people that use them, the more power they bring to everyone. Whether it’s CETS, whether it’s Groove, whether it’s other initiatives, every individual law enforcement agency, every individual officer is clearly more powerful, more effective when we create new tools to share information.
For those of us in the private sector, our goal is to create the tools so that you can share the information. We obviously don’t get access to them. And they are tools that respect the privacy rights of individuals on the Internet, and yet they’re tools that we believe enable you all, and law enforcement agencies around the world to make a difference, and achieve real breakthroughs in investigating crime.
Global connections, and collaboration need to take place not only in the context of investigations, they need to take place in the context of the creation of new law, as well. The cyber crime convention that started in Europe, was a big step forward in this regard. Already 22 countries have ratified that treaty, another 21 have signed and are now pursuing ratification. That’s the kind of broad collaboration that will create a stronger foundation in law, that will make the prosecution of crime, and safety on the Internet a greater reality for consumers around the world.
So that’s the second thing we need to keep focused on, this global partnership among all of us who share this concern about Internet safety. In addition to public-private collaboration, and this global focus, there’s a third principle, as well, and that’s the need for user education and user involvement.
If you think about urban areas today, if you’re a kid and you grow up in a city, you tend to be what people call street smart. You know how to enjoy the benefits that living in a city offers, but you also learn a little bit about how to look over your shoulder, and pay attention to people on the other side of the street, and avoiding walking down a dark alley that’s lonely in the middle of the night.
In a sense, we all need to make sure that the consumers of today, whether they be adults or children, become street savvy as they’re using the new digital cities on the Internet. Part of this means keeping computers secure, and part of it means being savvy in interacting with others. Our responsibility as a software company is to create the tools that people can use to help do that when they’re at home or at work.
In Windows Vista we created a security center, and we enable people to use that, to protect against spyware, to turn on their firewall, to find anti-virus subscriptions, and subscribe to them. We use other tools that are behind the scenes, if you will, a spam screen that seeks to stop a lot of spam before it gets to a PC, or a phishing filter, that a program like Internet Explorer relies upon to stop connections from known phishing sites.
And yet, in some respects it’s a little bit like building a seatbelt in a car. It’s there, and yet it only does good if somebody puts it on. Our work by definition is incomplete, and far from perfect, if users don’t know how to make use of these new technologies, and if users are not persuaded to then make use of them every day. It not only involves the use of these tools, it really does call on parents, and schools, and communities, if you will, to help make sure our kids are aware of what’s going on around them when they’re on something like a social networking site.
In most of the world today we teach our kids not to talk to strangers. If they’re walking home from school, and somebody stops and rolls down the window, if they don’t recognize the adult we teach our kids to keep on walking by. But, that same commonsense hasn’t yet necessarily permeated the Internet culture the way it probably needs to. As kids spend time on social networking sites, they come into contact with lots of their friends. But, sometimes they come into contact with strangers. And it’s important for all of us, as parents, and as civic leaders, to ensure that our kids have as much commonsense on the Internet as they do in every other part of every day life.
Certainly, as a company we’ve found that one key to making progress in this area is to partner with other civic-minded groups, non-governmental organizations, if you will. We’ve started to make some real steps forward. In the UK, for example, our employees have volunteered a lot of their own time, and they’ve worked with two NGOs, and they’ve gotten out in the community, and they’ve talked to groups of kids, and they’ve reached lots of adults.
But, ultimately, I believe this is a challenge, and an opportunity, and a responsibility for all of us. It’s a responsibility for those of us who create technology, it’s a responsibility for people in government, as well. We all need to do what we can, and we all have the opportunity to do more to ensure that our message is being heard by consumers around the world.
So we have three opportunities to make progress, combining education of consumers with our own collaboration together, and our global focus. This is a week where we really do have an opportunity to build on what we have already done together. We’ve done some great things together, and those successes should inspire us to achieve even more.
I think one of the most inspirational stories is in the so-called Operation Vico, it’s the story of a criminal who used the Internet in part to engage I the worst forms of child exploitation, he was a child a serial child abuser. He then proceeded to post images of himself with his face erased, if you will, so that he could continue to do what he was doing while remaining anonymous.
Well, the police in Germany were able to use new technology to restore the image that he had erased, and they captured his face in a photo. Once they did that, they provided that photo to media outlets. And very quickly there were 350 tips that came forward, and that, in turn, led to the identification and the arrest, and the prosecution of that individual. More important, it meant that he could not do those things any more.
We are thrilled to have you with us this week, because what you are doing is making a difference to real people around the world. It is making people’s lives better. We’re strongly committed to doing what we can to help you be more successful. We want you to tell us how we can do our part even better. If we all do that well over the next three days, this isn’t just a conference, this isn’t just talk, this will be about the recipe for the next steps, and real action, and real progress forward.
Thank you very much. (Applause.)
Well, it’s my pleasure, as well, to not only welcome you to this wonderful weather, but also to introduce our next speaker, Jean-Michel Louboutin is the second-most high-ranking official at Interpol. He is the executive director for police services there. He has over 25 years of experience working with all forms of crime, a lot of computer-related crime, not only in France, but in the French West Indies, and in French Guyana. I know he was seconded to Interpol in 1999.
Since 1999 he has led major efforts in Interpol to improve global collaboration among Interpol’s 186 members. He’s created a 24-by-7 coordination and command center, something that works in four languages in real time. He’s created other new tools that enable national police officers to share information. We’ve seen the success and the results of this many times. So as a company, and as an executive on behalf of our company I feel very privileged to welcome you here today.
Thank you very much. (Applause.)