As gang members increasingly use the Internet, law enforcement personnel need to become more Web savvy. Internet sites, like MySpace, YouTube, Twitter, AIM, and Facebook, continue to grow in such use, and, thus, officers need to understand how to investigate gang-related activity in an online environment.

Many of these Web sites contain information that investigators will find relevant to their cases. Officers can tap into this important source of data by making formal legal requests in a timely manner; this process typically requires a grand jury subpoena, administrative subpoena, court order, search warrant, or user consent pursuant to the Electronic Communications Privacy Act (ECPA) to get the service providers to comply.¹ By exploiting gang members’ online activity, investigators use an important weapon in the war against illegal gangs.

INTERNET COMMUNICATION

VARIETY OF INFORMATION

Many times, officers will find gang-related Web pages; secure sites that require passwords accessible only to gang members; or links to gangsters’ instant messaging, e-mail, audio, or text-messaging services. On other occasions, investigators may locate one via an informant who may provide, if necessary, a name and password needed to access and explore the site. Or, an officer will formally request the needed information.

Gang members’ Web pages often help to prosecute them. While pursuing pertinent online information, investigators must understand the law and recognize exactly what they and the service providers can do. Officers also should know how gang members use the Internet and should use against them their desire for recognition and respect in their subculture.

Basic Subscriber Data

Basic subscriber information may include gangsters’ first and last names, user identification number, e-mail address, registered mobile number, Internet protocol (IP) address at the time of sign-up, date and time of account creation, and most recent logins (generally the last 2 to 3 days prior to processing the request). In general, successful data retrieval depends on the investigator finding a gangster’s user ID, group ID, or the associated user name or group name; officers can locate this information by checking the e-mail addresses connected with gang members’ accounts.

The author has had success by accessing and exploring informants’ accounts (upon gaining their consent) to find information on targets—often fellow gang members—of investigations and then taking the necessary steps to gain additional data (e.g., a user’s name, date of birth, address, gender, and private message information). When dealing with service providers, investigators will benefit by having valuable information up front. Requests without specifics typically require more time and effort to identify a particular user account. Generally, officers will need a court order under Title 18, U.S. Code, Section 2703 (d); a search warrant; or user consent.

IP Log-In Records

Investigators can access logs showing the IP address assigned to users and the dates and times that they accessed their profiles. The process required to obtain historical records typically includes a grand jury subpoena or administrative subpoena under Title 18, U.S. Code, Section 2703 (c)(2); a court order; a search warrant; or user consent. Prospectively capturing log-in IPs typically requires a pen register/trap-and-trace order under Title 18, U.S. Code, Section 3121.

Private Messages

Private messages in a gangster’s inbox remain available until the individual removes them. Service providers do not maintain copies of messages marked for deletion by a user and cannot recover them once deleted. And, without an already operational Title III wiretap, investigators have no access to them. Gang members’ private messages not manually deleted stay in the sent box for 14 days. Additionally, bulletins sent from and held for users on service provider servers are available.

To obtain messages less than 180 days old, investigators need a search warrant under Title 18, U.S. Code, Section 2703 (a); or user consent. For older messages, officers need a subpoena or court order where the government provides prior notice to the subscriber (or delays notice under Title 18, U.S. Code, Section 2705), a search warrant, or user consent. For example, an investigator may present a warrant asking the provider for records pertaining to a particular user ID, including the person’s name, postal code, country, and e-mail address; date of account creation; IP address at account sign-up; logs showing IP address and date stamps for account accesses; and the contents of the user’s inbox and sent mail folder.

Photoprint

The photoprint is a compilation of all photos uploaded and not deleted by the user, along with those uploaded by another individual and featuring a tag of the user of interest. A request should specify photo prints related to a particular user ID. Officers should remember that these pictures typically are delivered in PDF format and contain profile information, such as links to other photos, videos, and blogs. The process required to get this information involves a grand jury or administrative subpoena; court order in which the government provides prior notice to the subscriber under Title 18, U.S. Code, Section 2703 (b)(2) (or delays notice under Title 18, U.S. Code, Section 2705); search warrant; or user consent.

Videos

Gang members often post videos of themselves, sometimes conducting incriminating activity, on Web sites, such as YouTube. These videos provide an excellent way to prove that individuals in an investigation are gang members. As the videos are public domain, they need simply to be downloaded. Later, they can serve as valuable evidence for a jury.

Forensic Evidence

In many cases, a tremendous amount of information, such as instant messenger chat and client logs, may exist on the gangster’s personal computer—of course, not in the possession of the service provider. Cookie data can remain on a gangster’s computer for extended periods of time if the individual did not clear it after using the machine to access an ISP account. Investigators easily can find that information. The same is true with cached pages—electronic copies of viewed pages—stored on the local machine until the user or computer removes them. This can include viewed images.

To obtain such information, investigators should include personal computers in all gang-related search warrants when appropriate and should search and seize the machines in accordance with these warrants to gather as much evidence against a gangster as possible. These search warrants are defined under Title 18, U.S. Code, Section 2703.

Location Tools

Investigators also can take advantage of applications that can allow someone to locate a cellular telephone from a computer or another cell phone. While designed to locate a lost cellular device, these applications can find a potential victim just as well. For a nominal cost, officers can have a program that not only will follow people in real time but provide turn-by-turn directions on how to get to them. Gangsters often want their friends to know where they are, but, if their friends know, so can their enemies. Many of these individuals add a location to their tweets letting all of their friends know where they are. This, of course, can be used by rival gang members to find or set them up by intercepting tweets or by having associates pass these messages along to them.

PROCUREMENT PROCEDURES

For information requests, service providers need the identity of requesting officers; their agency; employer-issued e-mail address; telephone contact, including area code and extension; and department mailing address (a post office box often will prove insufficient). They also must have a response due date, which typically should allow them at least two to four weeks for processing. Service providers also should receive from investigators specific details pertaining to the account, such as dates of interest—data pertaining to large periods of time may be unavailable or labor intensive to retrieve. Most of the communication between the requesting officer and the service provider will be via e-mail, including the returned data, which also may be mailed on storage media.

Many times, such requests involve costs that may need management approval. Service providers typically reserve the right to charge reasonable fees, where permissible, to cover the cost of replying to user data requests, such as search warrants or subpoenas. Title 18, U.S. Code, Section 2706, defines and governs these compensation matters. This does not require government agencies seeking certain categories of information to pay for subpoena compliance unless the request is overly burdensome.

Search Warrants

Web providers voluntarily can disclose information, including user identity, log-in information, private messages, and other data, to federal, state, or local authorities when they believe in good faith that an emergency involving danger of death or serious physical injury to any person requires such disclosure without delay. Emergency disclosures must meet the threshold requirements of the ECPA as demonstrated in writing by the requestor. Law enforcement officers must be careful not to include a promise of future process or sign forms that promise such.

In these situations, service providers will supply information pursuant to Title 18, U.S. Code, Sections 2702 (b)(6)(C) and 2702 (c)(4). Emergency disclosures are not compelled, but voluntary on the part of the provider, who may refuse without legal consequence. Often, they seek information, the amount of their choice, to enable them to determine whether an emergency exists. Typically, an emergency disclosure statement by law enforcement, including a description of the nature of the emergency (e.g., potential bodily harm or kidnapping), is required; and, even though the guidelines may vary slightly between service providers, most require essentially the same facts.

Pursuant to Title 18, U.S. Code, Sections 2702 (b)(7) and 2702 (c), officers need to give as much information as possible to persuade the provider to supply the information needed. Investigators should seek only information they believe will assist them in protecting those potentially affected by the emergency. Officers must attest that the request is true and accurate to the best of their knowledge and sign the request.

User Consent

Similar to when they knock on doors and ask for consent to search, officers can do essentially the same with Internet service providers. Information can be obtained pursuant to the voluntary consent of the user per Title 18, U.S. Code, Sections 2702 (b)(3) and 2702 (c)(2). Authentication of the true identity of the user must be provided and articulated in the consent request (e.g., a notarized consent letter).

OTHER REQUESTS

Disabling Accounts

Most providers will not disable an account if it will jeopardize an ongoing investigation. Officers not wanting targets to know that their account is being investigated should clearly specify not to disable an account until a particular date. Conversely, investigators who want an account disabled immediately—to stop threats, for example—and who do not care if the target knows can indicate that it is not a problem to disable the account.

Preserving Records

In accordance with Title 18, U.S. Code, Section 2703 (f), providers must comply with requests by law enforcement to preserve information for 90 days with an extension for another 90 days upon a renewed request per Title 18, U.S. Code, Section 2703 (f)(2). Pending the issuance of a subpoena or search warrant, providers will preserve information in accordance with the law but will not produce data until receipt of a valid legal request. When service providers receive a preservation request, they merely save a copy of the information they possess, which will be retained and later provided to law enforcement upon presentation of legal process. However, investigators should note that gangsters can continue modifying the information on their page as before and that these actions will not affect the stored copy retained by the service provider.

Officers should not routinely seek preservation of all data, only what they intend to obtain through the legal process. Otherwise, providers will be preserving, in some cases, a vast amount of data, perhaps not valuable to law enforcement personnel. 

A gang member testified in court against his associates who committed two murders. Just prior to taking the stand, the witness received threats via instant messaging, which he relied on to stay updated about goings-on in the gang. Particularly disturbing were a common greeting for his fellow gang members followed by a threat to his family and a listing of his home address. Clearly, this situation demanded immediate attention.

With the witness’ consent, the author examined the phone and obtained the necessary information to get a warrant to identify the source of the threats. The service provider was contacted, and a warrant was drafted that resulted about five hours later in the identification of the account holder sending the threats. The following day, the fugitive task force arrested this individual. As it turned out, a gangster in court had been relaying information to a fellow gang member in another state. This individual then forwarded the texts to the witness in an attempt to get him to recant or fail to testify. Fortunately, it did not work. The witness took the stand and testified, and a bold statement was made to the gang: Those who make threats against a witness in a gang case—in person or online—will be held accountable for their actions.

Case #2

Webpage QuoteIn another case, four gang members arrested for involvement in a shooting were awaiting trial in county jail. All initially claimed they were not active members. However, a visitor took cell phone pictures subsequently posted on MySpace of two of them throwing up gang signs while waiting in a holding tank for the trial to begin. Once confronted with the photos, they stopped their denials of gang affiliation. Further, investigators knew when and where the photos were taken.

Case #3

On a Web page, a gang member had pictures of himself holding several guns and communicating that he was on a “murder mission.” He provided his gang name, moniker, and specific photos showing his tattoos; his identity and home address later were determined. After a short surveillance, officers arrested him and conducted a search of his car and home, finding several guns and a lot of gang evidence. The arrest never would have been made if not for the creative and proactive approach taken by investigators to use the gang’s desire for recognition against them.

Conclusion

Investigators have access to much information online that can help them in their cases against gang members. A search of the cyber world should be part of every major gang investigation; it should not be an untapped resource in any jurisdiction. Officers should take advantage of the information superhighway to make the community safer and successfully prosecute gangsters by using against them their desire to be well-known, respected, and feared. It takes effort and time but has proven in many cases to be well worth it.