The Craigslist Killer and Online Privacy

Let’s discuss the Craigslist killer, online privacy, and police procedures.
 
Why has this old case from 2009 gotten new attention? The murder itself was rather gruesome and unusual, and the events grabbed considerable attention at the time, especially in the Boston area where they took place. However, it all happened several years ago. Why remember them now? As it turns out, the Boston Police recently released a range of documents concerning the case (which is a good thing – kudos to the Boston Police for being transparent). A few reporters have looked closely at these documents. This has generated a series of online comments about how the police used information technology — ISPs, cell phones, Facebook, email — to connect the murder to the suspect.
 
Let’s bring the conversation to the attention of readers of this space. It shows how technical progress lowers the costs of performing new technical capabilities, which generate new possibilities for action. A big part of the online privacy debate concerns the simple policy question: how best can society use this new capability? The question is not new, to be sure, but it is hard to appreciate that question without understanding just what is possible. This example offers a good illustration about what online technology made very cheap and what police departments do with it.
 
On one level there is nothing shocking here. As it turns out, when Facebook receives a subpoena it complies. So do ISPs. So do cell phone companies. Anything anyone does from home leaves an online trace, and any determined police department can deploy subpoenas to associate that online trace with an individual. Police use this routinely when they have a good lead, and it can be useful in catching murderers.
 
More to the point, online privacy debates are best illustrated in the situations where the debate matters the least, such a successful criminal investigation of a murder. That is because these are the type of situations in which everyone cooperates. As the case illustrates, using comparatively routine processes to trace his actions online, police could take some impressive actions.
 
In brief, the case makes clear why police should have the ability to use these capabilities, and it makes clear how easy it is to do. The latter observation might be novel for many readers.
 
Recap and remark
 
In this instance, the murderer is called the Craigslist killer because he used Craigslist to find his victim. For our purposes, the case has one distinctive feature: Despite being a medical student at Boston University, which surely suggests he had some sort of brain on his shoulders, the Craigslist killer really did not understand how many online clues he was leaving for the police.
 
The facts of the case are straightforward, albeit gruesome. Back in the spring of 2009 a second year medical at Boston University medical school got into financial problems – due to gambling, it seems. He hatched a scheme to pay his debts through robbery. His potential victims were masseuses he solicited on Craigslist. They did not know him, and he contacted the victims with new email accounts and temporary cell phones. Once he met them, he would handcuff them at gunpoint and rob them. He did this three times before he was caught. The second of these went badly, and he shot the poor victim three times, murdering her in an upscale downtown Boston hotel. (If you want to know all the details about the Craigslist killer, read it here).
 
Reading this account I was reminded of a sardonic rule of thumb communicated to me by an old friend, who was a professional prosecutor: it is a good thing that most criminals are so stupid, otherwise they would never get caught. He meant the following: it is rather difficult for prosecutors to catch criminals, but many law-breakers make the task much easier by doing a range of things that connect them to the crime, namely, by NOT covering their tracks very smartly. From the prosecutor’s perspective, a thoughtful criminal only need take a small set of actions, and they are much harder to catch. Yet, most of them never think to do so.
 
The Craigslist killer’s actions illustrate a few such actions, especially on line. These are remarkable because of the contrast with other actions taken by the killer. He was smart enough to find vulnerable victims in Craigslist, and contact them in ways that made it challenging to identify him. He essentially did that by buying prepaid cell phones (which made it hard to trace to him in particular).
 
As example of one of the dumb things he did… after the murder he kept one of the cell phones at his residence (hidden, presumably, from his companion). But after the murders the police searched his residence and found it. Let’s just say it: such physical evidence is pretty damning, so it is pretty darn stupid to keep the phone at home. I am no expert — but, I dunno’ — it might have been a good idea to throw away the cell that contacted a victim.
 
Here is another example. Though the killer successfully committed his first robbery, he committed the second one (which led to the murder) in a hotel across the street on the next day. He also used exactly the same method, giving the police a pretty good clue they were dealing with the same individual (which made identifying him much easier). He committed the third one the following night 45 minutes away from Boston (again, using the same method), in spite of the massive publicity surround the murder (which, again, made identifying him much easier).
 
Anyway, all of this looks pretty stupid to the prosecutors. This guy took action to make his cell phone use anonymous, and then lost a lot of anonymity through his choice of time/place. A little spacing across police jurisdictions, and little patience, and he would have been much harder to find.
 
But, really, his email and Facebook behavior was clueless, so let’s focus on that. It did lead to the loss of anonymity, and that is worth understanding in detail.
 
The Craigslist killer acted in ways that tied him directly to his emails. The emails went between him and his victim. If anonymity is the goal – and clearly he had some inkling of its importance through his cellphone purchases – then why didn’t it extend to his email behavior?
 
He did not behave as if he realized what a trace he was leaving. For example, he acquired his email account the day before he used it to contact his victim, and did it from his home. From his home — whoa, that is stupid. Working from his home made it easy to trace. The email provider and ISP both have access to the same IP address, and the police used subpoenas to connect one with the other.
 
This association is one of the more remarkable details of the case precisely because the ISP was almost uncooperative. Here is what happened. The police sent a subpoena to the ISP asking for the address affiliated with the IP address they obtained from the email provider. The police got the email address from — no surprise — the victim. In this case, the email provider was Microsoft, and the firm seems to have complied comparatively quickly. In contrast, the ISP — Comcast, in this case — gave a somewhat more bureaucratic answer. They said, in effect, that it would be a couple weeks, unless the police gave them a good reason to be in a rush. Given the high profile of the case, the police had no problem doing that. Then the ISP made an exception to its default behavior, which is a slow answer, and complied quickly.
 
Notice how important was the online piece. Once the police had that address they could stake out the place. That eventually let them get an ID on the individual as well as fingerprints. They also were able to get photos (from Facebook, and from records at Boston University), which they could then show to the other victims. That allowed them to solve the case in less than a week.
 
Summing up
 
There is something deeper running throughout the recent release of documents. On one level, the documents illustrate something that has become almost a standard refrain among the more experience and sophisticated Internet research community, namely, there is less privacy online than in typical offline life. This so despite the attempts of many lawyers to make the online world less vulnerable to government snooping.
 
The case makes that refrain very apparent: with a search warrant, government prosecutors can find out quite a lot about just about any suspect who has an active online life.
 
The documents also illustrate another rule of thumb about privacy online. There are two kinds of surfers present, those who seem to behave as if they DO NOT comprehend the lack of privacy online, and those who are wary about whether the Internet will become big brother-ish. The Craigslist killer seems to have been the former.
 
Looking behind the surface, one other theme runs throughout this case. Nobody other than the killer did anything wrong. The police got it right. They followed proper civil procedure. The firms cooperated. A murder case got solved. The entire experience should make any sensible person want to say “Hurray for civil society.”
 
Yet, not trivially, the situation also showcases that the improvement in information technology in the last decade is not an unalloyed improvement. Indeed, less restrained governments and police forces can easily use information technology in ways that may have little to do with enforcing criminal law. Tracing emails to political dissidents should be easy. Censoring unwanted communication is no problem. Shutting down the leadership of an electronic communication network also appears comparatively trivial. I am no lawyer, but these events give me additional respect for the importance of subpoenas and other processes to ensure that police use them only when criminal behavior provides probable cause.

 
The preceding is re-published on TAP with permission by its author, Shane Greenstein, Kellogg School of Management, Northwestern University. “The Craigslist Killer and Online Privacy” was originally published on Virulent Word of Mouse on April 8, 2012.