Telecommunications: SPOOFING, SWATTING, Active Shooters, & Public Safety

Written By Stephen M. George Jr. MPA

Overview

What is spoofing and how does it work?

“Spoofing” occurs when a caller deliberately falsifies the information transmitted to your caller ID display to disguise their identity.

Spoofing is often used as part of an attempt to trick someone into giving away valuable personal information so it can be used in fraudulent activity or sold illegally. U.S. law and FCC rules prohibit most types of spoofing.

Caller ID lets consumers avoid unwanted phone calls by displaying caller names and phone numbers, but the caller ID feature is sometimes manipulated by spoofers who masquerade as representatives of banks, creditors, insurance companies, or even the government.

 

What you can do if you think you’re being spoofed

You may not be able to tell right away if an incoming call is spoofed. Be careful about responding to any request for personal identifying information.

  • Never give out personal information such as account numbers, Social Security numbers, mother’s maiden names, passwords or other identifying information in response to unexpected calls or if you are at all suspicious.
  • If you get an inquiry from someone who says they represent a company or a government agency seeking personal information, hang up and call the phone number on your account statement, in the phone book or on the company’s or government agency’s website to verify the authenticity of the request.
  • Use caution if you are being pressured for information immediately.
  • If you have a voice mail account with your phone service, be sure to set a password for it.  Some voicemail services are preset to allow access if you call in from your own phone number.  A hacker could spoof your home phone number and gain access to your voice mail if you do not set a password.

Is spoofing illegal?

Under the Truth in Caller ID Act, FCC rules prohibit any person or entity from transmitting misleading or inaccurate caller ID information with the intent to defraud, cause harm, or wrongly obtain anything of value.  If no harm is intended or caused, spoofing is not illegal.  Anyone who is illegally spoofing can face penalties of up to $10,000 for each violation.  In some cases, spoofing can be permitted by courts for people who have legitimate reasons to hide their information, such as law enforcement agencies working on cases, victims of domestic abuse or doctors who wish to discuss private medical matters.

Is blocking a phone number the same thing as spoofing?

Spoofing is not the same thing as blocking a phone number.  FCC rules require telephone companies to make phone number blocking available and free for all calls between states (each state makes its own rules about calls that stay within the state).  If you receive a phone call from an “unknown number,” that phone number has been blocked, but not necessarily spoofed. Also, you can legally block the transmission of your phone number when you make calls, so your number will appear as “unknown.”

What are the FCC rules regarding caller ID for telemarketers?

FCC rules specifically require that a telemarketer:

  • Transmit or display its telephone number or the telephone number on whose behalf the call is being made, and, if possible, its name or the name of the company for which it is selling products or services.
  • Display a telephone number you can call during regular business hours to ask to no longer be called. This rule applies even to companies that already have an established business relationship with you.

How do I report suspected spoofing?

If you receive a call and you suspect caller ID information has been falsified, or you think the rules for protecting the privacy of your telephone number have been violated you can make a report to the FCC at https://consumercomplaints.fcc.gov/hc/en-us/requests/new?ticket_form_id=39744

Recent FCC Actions on Spoofing

Aug. 3, 2017 – The FCC proposed an $82 million fine against an individual who apparently made more than 21 million illegally spoofed robocalls in violation of the Truth in Caller ID Act. https://www.fcc.gov/document/fcc-proposes-82-million-fine-spoofed-telemarketing-robocalls

aboutThe SWATTING Phenomena

Swatting is the act of pulling a prank on another by falsely reporting serious threats such as incidences of domestic violence, shootings, and hostage situations to the police.

Using altered caller IDs and voice modification devices to conceal their identity, these pranksters use these terrifying threats to mobilize police forces into entering the homes of and arresting the chosen victims.

The term “swatting” was coined by the FBI in 2008, when the phenomenon began gaining serious popularity. Typically, this prank is pulled within the online gaming community while gamers are using Twitch, a website used to live stream a gamer’s play through of a game to the entire world. Because these live streams can be so popular, it has become customary to swat a gamer while he or she is using a digital camera to stream his/her face. This way, thousands of people around the world can watch as a person is aggressively arrested and charged for a horrible crime. Often, the videos recorded from these events are posted onto YouTube, where many who find the prank amusing decide to participate in it themselves.

The informant, Ian, is a 21-year-old university student who considers himself a gamer and internet enthusiast. He knew a victim of this prank in high school, and has since maintained interest in the internet phenomena. While Ian considers the act terrible, he is still fascinated by the immorality of those who partake in it. Although he sees the activity as an awful internet trend, he watches videos of it because he is intrigued by the violence surrounding it.

As someone who has grown up with the internet as its culture has become more advanced and developed, it is quite interesting to see how dark some of its aspects have become. Although the internet can be very personal, the popularity of this activity is likely a result of the lack of face to face contact between those interacting on it. When a prankster cannot physically see the long-term consequences of his or her actions, it becomes easier to commit to the act. This is probably why so many have swatted others.

Notable Incidents

Twenty-eight-year-old Andrew Finch was shot and killed by police in Wichita in 2017, after a fraudulent emergency call drew police to his family’s residence with their weapons drawn. The hoax call — an instance of what’s known as “swatting” — was placed after an argument in the online game Call of Duty. http://fortune.com/2017/12/30/swatting-call-of-duty-police-shooting/

In 2014 he FBI is assisting Long Island cops to find the gamer behind a hoax call that brought more than 70 heavily armed officers to the home of a teen who had just defeated him in an online game of Call of Duty.  https://nypost.com/2014/04/23/fbi-helping-to-find-call-of-duty-gamer-behind-swatting-prank-call/

Analysis

Legislation & Retaliation

In 2011, California State Senator Ted Lieu authored a bill to increase penalties for swatting. His own family became a victim of swatting when the bill was proposed. A dozen police officers, along with firefighters and paramedics surrounded his family home.

In 2015 a New Jersey State Assemblyman Paul Moriarty announced a bill to increase sentences for hoax emergency calls, and was targeted by a hoax. The bill proposed prison sentences up to ten years and fines of to $150,000.

A 2015 bipartisan bill in Congress sponsored by Katherine Clark and Patrick Meehan made swatting a federal crime with increased penalties. Congresswoman Clark wrote an op-ed in The Hill saying that 2.5 million cases of cyber stalking between 2010 and 2013 had only resulted in 10 cases prosecuted, although a source for this was not provided.   As revenge for the bill, an anonymous caller fraudulently called police to Rep. Clark’s house on January 31, 2016.

In the United States swatting can be prosecuted through federal criminal statutes:

  • “Conspiracy to retaliate against a witness, victim or informant”
  • “Conspiracy to commit access device fraud and unauthorized access of a protected computer”
  • An accomplice may be found guilty of “conspiring to obstruct justice”
  • In California, callers bear the “full cost” of the response which can range up to $10,000

Conclusion

Swatting is a cyber threat that covers a wide range of offenses and is often carried out by individuals with a great deal of technical skill. Because of this, it presents the justice system with a difficult task in trying to address the issue. Many swatters utilize technology to make it more difficult to trace their activity, and their actions take advantage of third parties to carry out real-world harm to their victims, going beyond the scope of other cyber offenses such as cyber-stalking. Part of the difficulty in addressing this type of crime is figuring out how to classify it; deciding which laws to use to punish those who commit the offense. This presents the question of whether a separate, comprehensive federal law should be created to address the issue directly.

Swatting: The Dangers and Costs

The crime itself involves an individual notifying emergency services with a fraudulent report of serious criminal activity at their victim’s location in order to elicit a forceful response from law enforcement, usually in the form of a SWAT team. These criminals often use Caller ID “spoofing” technology, allowing them to deceive emergency services into believing that the call is coming from the target location.

This creates an incredibly dangerous situation for both the victim and the law enforcement officers responding to the report. SWAT teams arrive heavily armed and ready to react to a high-risk situation with deadly force. An unsuspecting victim will often become confused and disoriented from the spontaneous, aggressive arrival of police officers, causing the victim to react in such a way that might increase the chance of police using violent force against them.  Victims, thinking their home is being invaded by intruders, might respond with violence of their own, possibly hurting an officer in self-defense. Beyond the physical harm swatting creates is the economic cost; there is the wasteful drain that comes from responding to false reports. Each deployment of a SWAT team can cost police departments thousands of dollars, and false reports can divert resources from real emergencies that require police attention.

The Wichita Incident

The true extent of the physical danger that swatting presents came to light this past December, when the first fatality as a result of swatting occurred in Wichita, Kansas. After a dispute in an online video game, Los Angeles resident Tyler Barriss allegedly made a false report to Wichita police about a hostage situation occurring at the home of Andrew Finch. When police arrived, Finch emerged from his front door and was killed by an officer.The police have stated that they believed Finch had moved his hands toward his waistband, and appeared to be reaching for a possible weapon.  Neither Barriss nor Finch were involved in the original dispute, and it is believed that a third party asked Barriss to commit the act. This case involves several factors that make it a significant case for change in the way the justice system responds to the swatting phenomenon. The fact that Barriss’ actions resulted in a death widens the scope of charges in a swatting case, and the actions of third parties – from the police officer who fired the shot, to the individual who asked Barriss to make the call – further complicate the issue.

The Current Response to Swatting

Actually tracking and locating swatters requires police to pay attention to the internet and social media presence of both the culprit and the victim, since many swatters prey on individuals who are very active on social media and video streaming platforms such as Twitch and YouTube.  Because of this, investigations require the cooperation of these businesses and service providers to provide information on swatting suspects. Following a series of swatting incidents in Texas, police were able to track down Zachary Lee Morgenstern after Google and Twitter provided police with the IP addresses associated with Morgenstern’s social media accounts.  In the Wichita case, Barriss claimed responsibility for the fraudulent call on Twitter, and explained through YouTube that he had been instructed to perform the crime.

There are currently no federal laws directly related to swatting with which to charge the culprit after apprehending him. Some states have specific statutes related to falsely reporting an emergency, but when there is no such statute, law enforcement has had to creatively utilize related charges and connect them to the act of swatting by viewing it as a step through which the perpetrator committed other crimes. Some charges that police have used include conspiracy to commit device fraud, making interstate threats, and obstruction of justice. The Wichita case presents the difficulty in addressing an interstate issue with an amalgamation of state laws. Barriss is set to face charges in Kansas, but is also connected to incidents in Illinois, New Hampshire, and even Calgary, Canada. In Kansas, he faces a charge of manslaughter due to the resulting fatality, narrowly avoiding a felony murder charge because causing a false alarm is not among the “inherently dangerous felonies” listed under the state’s felony-murder statute.

The Proposed Federal Statute

There have been attempts to create federal legislation against swatting, but so far none have become actual law. The “Swatting Won’t be Accepted or Tolerated Act of 2015” introduced by Senator Charles Schumer would have punished those who would make any “false, fictitious, or fraudulent statement . . . to a Federal law enforcement agency that causes an emergency Federal law enforcement response” with up to eight years in prison, and force them to repay costs to the government for emergency response resources.Massachusetts Representative Katherine Clark introduced a bill called the “Interstate Swatting Hoax Act” in December of 2015. This bill included criminal penalties for anyone who, “with the intent to cause an emergency response by any law enforcement agency, . . . knowingly transmit[s] false or misleading information” that a crime is taking place, as well as civil actions for reimbursement of expenses for the emergency response. The criminal penalties addressed the various degrees of harm, from the basic cost of the response to any resulting death. With many states being slow to directly respond to the swatting issue, federal legislation such as this could help greatly in addressing such a wide ranging, interstate problem.

Addressing Third Parties

As stated previously, social media and internet-based service platforms play an important part in the way swatters connect with their victims, and so it is necessary to address the extent of their responsibility in these cases. Websites such as YouTube and Twitch already offer legal services to counter cyberbullying and swatting, but this generally amounts to banning users after they are reported or cooperating with police after a swatting incident has taken place. Some might suggest that such services should take on the burden of increasing monitoring efforts, be able to notify users of potential threats, and provide specific information to help the user report the threat to police. The Communication Decency Act generally protects online entities from liability for the actions of their users, and case law cites the economic cost of screening millions of users as a basis for shielding these service providers from liability.

The Wichita case also presents the issue of third parties who incite the act of swatting. This brings up the question as to the extent of the responsibility of the person who asked Barriss to make the hoax report. There is also the issue of the actions taken by police, and whether they acted appropriately once they arrived at the scene.

Comments