/

‘Privacy’ services thwart investigation of rape video sites

by Craig Timberg

The Washington Post

Researcher Garth Bruen long has investigated the seamier corners of the Internet, but even he was shocked to discover Rapetube.org, a site urging users to share what it called “fantasy” videos of sexual attacks.

Bruen gradually discovered dozens of sites offering attacks on drunken women, lesbians or schoolgirls to anyone with a credit card. Some said the clips were fictional, but others had the word “real” in their titles. At least a few touted videos that he feared might show actual crimes.

Bruen tried to determine who operated the sites, a first step toward possibly having them shut down. But he quickly hit a wall. The contact information listed for websites increasingly is fictitious or intentionally masked by “privacy protection services” that offer ways around the transparency requirements built into the Internet for decades.

That is especially true for sites offering illicit or controversial content, studies have found. As a result, although governments have increasingly powerful tools for tracking individual behavior on the Internet, it is harder than ever for private citizens to learn who is responsible for online content.

To Bruen, this is the dark side of Internet privacy. “That’s not privacy. That’s secrecy,” said Bruen, 42, a security fellow at the Digital Citizens Alliance, a Washington-based advocacy group that combats online crime. “That’s corporate secrecy.”

The desire for sunshine is at odds with the libertarian ethos of cyberspace, where free speech often has been understood to include the freedom to share content anonymously. Bruen seeks a finer line that, while shielding personal conversations and other private behavior, would demand that content sellers accept a measure of accountability by making their identities known.

That long has been required by the Internet Corporation for Assigned Names and Numbers, a California-based nonprofit group that, under contract with the U.S. Commerce Department, has broad authority over the issuing of Web addresses worldwide. The group, typically called by its acronym, ICANN, requires that site operators provide “accurate and reliable contact details” but has struggled to enforce compliance amid the transnational lawlessness of cyberspace.

An ICANN study released in September found massive problems with contact information throughout the Internet. Among “adult” websites, nearly half used services to mask the identities of site operators or listed no contact number at all. When investigators attempted to reach site operators whose numbers were listed, the effort was successful for less than 6 percent of the adult sites surveyed.

“In principle, the information is supposed to be accurate,” said Stephen Crocker, chairman of ICANN’s board. Yet he acknowledged that it often is not, with the “dark corners” of the Internet most resistant to efforts at accountability.

For Rapetube.org, the official contact information listed a man with an East Asian last name, a French phone number and an email address issued by a Chinese company. When Bruen sent emails, they bounced back as “undeliverable.” When he called the phone number, nobody answered.

Still, whoever operated the site remained active, promising in text posted amid pictures of bound, sometimes bloodied women that there would be “regular updates” to what it claimed was “the biggest rape porn site for violent sex videos.”

Transparency was built into the Internet from its earliest days, when site operators needed to reach one another to resolve technical problems. That led to the creation of the “Whois” database, a consolidated source of contact information that became a popular tool for police, journalists, political activists and companies looking to combat abuse of their brand names and registered trademarks.

When activists against domestic violence in 2001 discovered a site called wifebeatersunion.com — it featured an animated image of a fist punching a woman’s face — there was enough information available to lodge complaints that eventually got the site shut down.

“It felt really good to take some action,” said Cindy Southworth of the National Network to End Domestic Violence. “If there is horrible, hateful content out there, it would be useful to know who hosts it.”

More recently, pressure from activists and advertisers persuaded Facebook in May to crack down on what it called expressions of “gender-based hate.” But such tactics have little chance of success when protesters can’t figure out whom to target in their protests.

The declining reliability of the Whois database is quietly embraced by many privacy advocates, who see the forced provision of contact information as contrary to free speech protections. U.S. courts recognize a right to speak anonymously as central to the First Amendment to the Constitution, on the grounds that voicing controversial ideas can be dangerous.

“We benefit from creating breathing room for anonymous and pseudonymous content,” said Eric Goldman, a law professor at Santa Clara University, in Silicon Valley. “Some categories of highly valuable information to society are especially susceptible to legal threats, and allowing content publication without attribution can help that content see the light of day.”

But courts also distinguish among kinds of speech, with pornography receiving less protection than, for example, political commentary or literature.

Most nude images of people younger than 18 are illegal to record, share or view. Some activists for women’s rights in recent years have been pushing for legal sanctions against nonconsensual pornography — often called “revenge porn” — in which pictures or videos of sexual acts are uploaded to websites after a relationship ends, typically to embarrass a former romantic partner.

“Here we have images of private people,” said Danielle Citron, a law professor at the University of Maryland. “The public has no legitimate right to know about that.”

In a world of more than a billion smartphones, clips of sexual encounters recorded by bystanders are also increasingly appearing online. Some of these depict consensual acts, but others are from assaults, as was the case with video last year of a 16-year-old girl in Steubenville, Ohio, who was raped while intoxicated.

But if websites show videos of attacks that are not real, there are few practical legal restrictions.

When asked about sites that feature “rape porn,” the FBI said in a statement: “These types of websites are not unknown to law enforcement. We use a variety of operational strategies to combat this problem and remain committed to identifying those people who would exploit children. In terms of other types of pornography (other than child pornography) that would draw FBI scrutiny — we make that determination on a case by case basis.”

Rapetube.org appeared to operate in this gray area as part of an extreme niche within the multibillion-dollar online porn industry. Sites offering what they describe as “fantasy” videos of sexual assaults receive little attention from law enforcement or the kinds of activist groups that track child pornography. Determining the amount of money involved — or even who receives the profits — is made difficult by the sketchy information available in the Whois database.

Archived versions of Rapetube.org carry claims that the people depicted are professionals who are at least 18 years old. “We do not condone non-consensual sex,” it says. “This site is about ROLE PLAYING FANTASY only and performed by professional actors and models.”

Elsewhere, however, the site makes clear that any registered user can upload content. “Submit your own videos, rate the vids you watched and join the community. Enjoy your stay! Bookmark Rape Tube!”

Many of the videos listed on archived versions of the site carried a simple, two-word description: “Real rape.”

Bruen, a father of two, has degrees in criminal justice, public policy and software engineering and is an elected user representative on an ICANN advisory board. He runs a small security-research firm called KnujOn.com — “no junk” spelled backward — out of a Tudor-style house shaded by maples in suburban Boston.

KnujOn, which grew out of work Bruen did in a previous job as an IT manager for a state agency, investigates sources of spam, those solicitations that jam email inboxes worldwide with offers of easy money or discounts on drugs such as Viagra.

During one investigation, Bruen came across hundreds of sites — featuring pirated software, unlicensed pharmaceuticals and get-rich schemes — registered to a single man, Henry Nguyen Gong, with an address and phone number supposedly based in France. Both the Web address and the privacy protection service came from a domain registrar, Bizcn.com, that is headquartered in the coastal Chinese city of Xiamen.

As Bruen searched for other sites registered to the same person, he was startled to find Rapetube.org. The images and descriptions Bruen found there only deepened his concern, prompting him to complain to ICANN and raise questions about the site in an email to the organization’s chief executive, Fadi Chehade. Bruen eventually filed more than 1,400 complaints against Bizcn.com about flawed information on sites registered to Henry Nguyen Gong.

Chehade replied warmly, saying in an email to Bruen, “I appreciate your dedication and commitment to the ICANN community.” But ICANN’s compliance staff rejected 11 percent of his 8,000 complaints, mostly on the grounds that the filings “lacked sufficient detail.” For the other 89 percent, Bruen received no response at all, he said.

The FBI and other law enforcement agencies around the world have lobbied ICANN to create a more accurate, accessible Whois database to assist their investigations. Even the industry group of domain registrars, the Domain Name Association, has endorsed the idea of a more accurate database, at least in concept. The association also has argued that more rigorous record keeping would add to the costs for registrars if they have to verify identities through passports or other official documents. Buying a new Web address now typically costs less than $15 a year.

For months, Bruen continued to periodically check the Whois database to see whether the contact information for Rapetube.org had been corrected. It never was. But after Bruen expressed his frustration publicly, in a post on his personal blog in September, Rapetube.org suddenly went dark.

A few days later, with Rapetube.org still offline, Bruen decided to see how many similar sites were still online by running a search for Web addresses with the word “rape” in their names. He quickly found more than 40.

“There’s really a commercial interest in promoting this material,” Bruen said, “and it’s much, much bigger than I thought.”

The sites carried links to one another, allowing customers to have access to several for a single payment, but they also appeared to compete. One site bragged: “This is, without a doubt, the sickest and most depraved rape fantasy content I have EVER seen. . . . Even if you are a seasoned fan, like me, you may STILL come away shocked.”

Again, the contact information was of little use, with most sites listing only a “privacy protection service” run by their domain registrars. Nearly a year after discovering this extreme pornographic niche, Bruen was little closer to learning who operated the sites.