Terrorism - Articles

In three recent terrorist attacks - the UP blasts of November 2007, the May 2008 blasts in Jaipur and the Ahmedabad blasts of July - minutes before the explosions took place, local media offices received e-mails announcing the blasts and claiming the responsibility for them. In all three cases, immediately after the blasts, these e-mails became the focal point of media coverage, and at least in the Ahmedabad case, of police investigation. What is to be noted is the fact that in all three cases, the e-mails led the investigations nowhere.

In all three cases, the police immediately identified the IP addresses and accordingly the geographic location of the sources of these e-mails. These sources however, turned out to be cyber cafes or private open WiFi networks, in other words, dead ends. However, the e-mails continued to be limelight with police transferring investigations to forensic labs, and blaming the cyber cafe owners for not following the rules among other things.

What makes these cases most peculiar is the failure of police or the media to realize that these e-mails were, in investigation terms, bad leads to begin with. Since nothing should be discounted in an investigation, considering criminals always make mistakes, the police were correct in following them up. However, they should have also realized that these e-mails had very low chances of leading them to the culprits. Unlike tracing the explosives or vehicles, internet tracing is not only much more difficult, it is immensely easy to evade. The best analogy here would be of a kidnapper sending a ransom note through a letter. Of course, there is an off chance that the kidnapper's handwriting is immediately recognized by investigator or the stamps used are rare and can be traced back. However, the probability of these is extremely low and an investigator building his case solely on such leads clearly has no idea of what he is doing.

The only significant information that an e-mail gives you is the IP address, which, through the Internet Service Provider (ISP) can in turn, lead to the internet connection from where the e-mail was sent. However, now the first hurdle comes up. As seen in these cases, either the e-mail is sent in a cyber cafe or by invading an open WiFi network. In the case of cyber cafes, it has to be acknowledged that the registration rules that police insist every cyber cafe should follow, are not practical. Not only do the caf owners often find such registration a tedious task that hampers the business, many owners are also illiterate and hence incapable of ensuring that the rules are followed. Such rules cannot be implemented comprehensively and so all the terrorist has to do is find one cafe that does not follow the rules. Hence, the investigation lead is lost.

In WiFi networks, on the other hand, there is a better chance for the investigator though only by a slight degree. Common WiFi routers use DHCP (Dynamic Host Configuration Protocol) to provide the laptop with internet connection. DHCP, in turn, stores the MAC (Media Access Control) address of the laptop's WiFi device. The MAC address is an identification number that is unique to one particular WiFi device in the entire world. With this MAC address, police can identify the manufacturer of the laptop and subsequently the shop from where it was sold. However, in a country like India, where a substantial percentage of computer hardware is sold in the grey market and no records of resale are kept, chances of pinpointing a shop become bleak. Also, such an investigation can take many months and critical investigating time is lost. Moreover, at any step of this investigation the perpetrator can simply use easily available spoofing software, to hide the IP address or the MAC address, sending the police on a wrong trail for months.

The e-mails by the Indian Mujahideen and the aftermath that they generated are clear indication of the gaping lack of knowledge, security agencies have about current technologies. While almost every major city in the country has a police cyber cell, these cells clearly have no technical knowledge to match cyber criminals or tackle cyber-forensics at advanced level. Today, most of the cyber crime cases are solved by the affected companies which have a much better cyber security staff than police agencies.

However, the lack of resources and technical know-how in the Indian police system is nothing new and part of a larger governance problem. A more important implication of this is of how Indian media, civil society and security agencies perceive technology. Clearly, the lack of knowledge goes beyond just the police. While in many other failures of the police, the media or more specialised security agencies are able to pinpoint those mistakes, in the case of technology crime, every one is equally ignorant. Ironically, while India is the IT hub of globe, cyber security remains largely misunderstood.