Using MySpace in criminal investigations

It was late August, and depending on whom you asked, MySpace was either a Web 2.0 prophet or the devil gone digital. While the business world was reading about the social networking site’s US$900 million deal with Google, its expansion into Australia and its mention on Time’s list of the 50 coolest websites, the security community was riveted by a different set of headlines. “Two teens arrested in MySpace hack,” read one. “Three teens accused of sexually assaulting girl they met on,” read another. A third: “Man accused of raping MySpace date.”

At a conference in Dallas, Hemanshu Nigam had to address an audience focused on the latter set of headlines. And he was about to find out how public a stage he had stepped onto by taking the job as CSO of MySpace, the News Corporation entity on which owner Rupert Murdoch is staking his plans for a digital future. An hour before Nigam’s first session, to be given at the annual Crimes Against Children conference, he and a staff member headed to the conference room at the Hilton to set up. They found a line outside the door.

“We asked somebody in line, Are you waiting for something?” recalls Nigam, who is also CSO for all of Fox Interactive Media. “And they said, Yeah, for the MySpace training. As soon as the doors opened, people kept coming, and they kept coming, and they kept coming. All of a sudden you had 4 feet by 6 feet of walking space, and all the way up to that you had people sitting on the floor. All the walls had people standing. It was crawling room only.”

People were turned away. Everyone wanted to hear how MySpace could assist law enforcement with criminal investigations.

Nigam, a 42-year-old born in India and raised in Connecticut, took the stage, where he spoke both with the command of a seasoned federal prosecutor of child crimes and the empathy of a father of four. He described MySpace’s 24-hour hotline for law enforcement, its track record of helping to find teenage runaways as well as rapists, and its efforts to get IP addresses and other crucial information to officers as quickly as possible. His words seemed to have their desired effect: Afterward, more than 90 percent of those assembled gave his talk a positive rating.

“He seems to be forthcoming in saying, We know there are issues that need to be addressed, and we are addressing them,” conference organizer Larry Robbins says. “I didn’t get the impression that he was trying to sweep something under the rug.”

Law enforcement officers who have tested MySpace’s response capabilities say it’s not just lip service. “I was actually pleasantly surprised,” says Deputy U.S. Marshal Robert Charette, who recently worked with MySpace to track down and arrest a man wanted in two states who was logging in to his MySpace account from a public library in Philadelphia. “We normally are used to waiting days and weeks on end [for subpoenaed information] from phone companies, and I expected a similar type of response from MySpace. But it was an immediate response, and they were extremely cooperative and a pleasure to deal with.”

The fact is, the company had better be. MySpace is hot. Last July, according to the research service Hitwise, it passed Yahoo Mail to become the most-visited website in the United States. But as the number of profiles created at the Web community has exploded–to 150 million at the time of this writing, according to the company–so too has its appeal to everyone from small-time drug dealers to pedophiles to murderers. After all, it’s just as easy for a criminal to sign up as it is for a 14-year-old who wants to share soccer photos or chat about Justin Timberlake.

The challenge for Nigam is to make the site a safer place for users (and, of course, advertisers) without destroying the very openness that has made it so popular. This places Nigam not just front and center at conferences about child safety, but also at the very nexus of culture, commerce and security. Despite MySpace’s seeming ability to respond well when things go wrong, it’s still far from certain whether Nigam can make the site measurably safer and more secure — and whether he can ever do enough to appease MySpace critics, including an outspoken group of 32 state attorneys general who want to tighten access to the site. When Nigam took over last May, “there was a sigh of relief breathed by many folks [who felt] that now, at least, something is going to get done. There’s an open door, and there’s someone that they can communicate with,” recalls Derek Broes, a senior vice president at Paramount Digital Entertainment, who worked with Nigam at two previous jobs. “His biggest challenge will be accomplishing what MySpace wants to accomplish without damaging the company itself and building a poor user experience.”

It’s no easy task. But as Broes puts it, echoing the sentiments of others who know Nigam, “if anybody is going to find the solution, it’s going to be Hemu.”

Nigam’s New Space

Not long after the media conglomerate News Corp. bought MySpace for US$580 million in October 2005 and wrapped it up into Fox Interactive Media, the suits started looking for someone to help improve security at the once-scrappy upstart. Social networking sites such as MySpace, Facebook and Xanga had been flying under the corporate radar despite concerns about child safety, malicious code and copyright infringement. But now things were different. Not only did the largest of those sites’ new parent company, News Corp., have deep pockets (2006 revenue: $25.3 billion) but Murdoch also was counting on MySpace to be a big part of his company’s strategy going forward. In fact, the News Corp. chairman and CEO told investors it was a $6 billion property. (A Chinese company owned by IDG, parent of CSO’s publisher, is in talks with MySpace to invest in a Chinese version of the site.)

Ernie Allen, longtime president of the National Center for Missing and Exploited Children, soon got a phone call from someone at Fox Interactive Media, who wanted his recommendation on CSO job candidates with credibility on child safety issues as well as a solid understanding of technology. Nigam immediately came to mind.

The two men had known one another for more than a decade, since Nigam’s days as a federal prosecutor for the U.S. Department of Justice, where he specialized in Internet-related child pornography, child predator, women and child trafficking, and computer crime cases. Later, they worked together when Nigam was director of consumer security outreach and child safe computing at Microsoft. (In between the two jobs, Nigam was a vice president for the Motion Picture Association of America, where he worked on antipiracy initiatives.) Allen had high regard for Nigam’s integrity and ability to get things done. “I thought his background was exactly what they needed,” he recalls, and said as much to the person on the other end of the line.

At Microsoft, Nigam got a call too. “Somebody said, can you call a friend of mine at MySpace and talk to them because you know child safety? And that turned into, would you like to work here? Then I called Ernie and said, what do you think of this? I don’t want to go somewhere just because they’re looking for a name from Microsoft. I want to go there because I’m really going to make a difference,” Nigam says. Allen was convinced that in offering Nigam the job, Fox Interactive Media had shown that it was looking for more than a figurehead to appease shareholders and talk to The Wall Street Journal. “I said to them, you should not hire somebody like Hemu if the purpose of this is pure PR, because his whole history is, he’s a doer,” Allen recalls. “He makes things happen. He tackles challenges and tries to solve them.”

Despite the fact that the job would mean relocating his wife and four young children from Washington state to Los Angeles, the opportunity was enticing. “The reality is this company got hit with the worst kind of thing a company can get hit with, and that’s predators, but it got hit at the best possible time that a company can get hit with a problem like that, and that’s at its nascent stage of development,” Nigam says. “The company hadn’t been built in a way that it was going to be stuck in its ways. It was only a year and a half old. If they’d called me three years from now, I wouldn’t even think about it. Now is the time to set the stage.” The public reaction to Nigam’s appointment was swift and positive. With his legal background, technology smarts and reputation as a defender of children, all his experience seemed to lead him to this point.

“We were all optimistic about MySpace’s hiring of [Nigam], because we felt that they would be able to implement effective measures,” says Jay Chaudhuri, special counsel to North Carolina Attorney General Roy Cooper, the cochairman of a group of 32 attorneys general who have been trying to push MySpace to improve its safety and security practices.

But now, the honeymoon is over.

“In the last six months, MySpace has certainly made some changes,” Chaudhuri says, “but are they sufficient to protect children online, and do a majority of attorneys general think MySpace is a safe ‘place for friends,’ as they like to call it? I think the answer is no.”

Pushing for change

Within weeks of Nigam’s start date of May 1, 2006, MySpace was proclaiming new measures to improve safety and security. First, the company would block members who list their age as over 18 from contacting members who are 14 or 15, unless the adult knows either the young member’s full name or e-mail address. (MySpace says that members must be at least 14 years old but does not verify age, which is still a point of much contention.) Second, the company would allow members of any age, and not only 14- and 15-year-olds, to set their profiles to private, making their full information available only to people within their network of “friends.” Third, the company would start targeting ads based on age, to ensure that members under 18 don’t see ads for tobacco or dating services and that members under 21 don’t see ads for alcohol. (This targeting of ads certainly fits into a larger strategy; Eric Openshaw, national managing director of the technology, media and telecommunications group at Deloitte Consulting, says that the amount of information members provide to MySpace makes it a “marketing data gold mine” that might allow News Corp. eventually to recoup its investment.)

Other, quieter changes were made. For instance, MySpace employees noticed that some young members were listing their age as 69 (shorthand for a sexual position). Older members were then running searches for, say, 69-year-olds under four feet tall, in hopes of finding young members interested in sex. Now, members can no longer browse for people over the age of 68.

From his third-floor office at the studiously hip new digs in Beverly Hills that News Corp. built for Fox Interactive Media, Nigam takes a pragmatic approach to these types of changes. He works with his team to create what he calls an issue list. “We look at, what are hackers doing, what are predators doing?” he says. “Then we go to our engineers and say, suppose you have no worries about resources — what can we do to solve these issues? Is there a change we can make or feature we can add?” Once they have this list in hand, they try to figure out which five or 10 things they can do to hit 80 percent of the problem, and they build the priority list from there.

Perhaps the biggest change to grow from this issue list is an attempt to block known sex offenders from the site. A constant stream of news reports of children lured into meeting ill-intentioned adults they chatted with on MySpace have battered the site’s reputation. One woman and her 14-year-old daughter sued MySpace for $30 million, after the girl was allegedly sexually assaulted by a 19-year-old man she met on MySpace. (The case was dismissed in February.) An investigation published by Wired in October found hundreds of registered sex offenders who had created MySpace profiles using their real names, and some of them were busy collecting young “friends.” So in December, MySpace announced that it was partnering with Sentinel Tech Holding, a background verification vendor, to build a central, national database of known sex offenders — information that previously had been scattered across numerous federal and state databases. The technology, known as Sentinel Safe, will allow MySpace to block those users from the site. (MySpace says its competitors can use the database as well.)

Critics were quick to point out that the move would simply force registered sex offenders to use aliases, but MySpace has been lobbying on that front too. On the heels of the Sentinel Safe announcement came a PR coup: Sens. John McCain (R-Ariz.) and Charles Schumer (D-N.Y.) announced plans to introduce legislation that would force registered sex offenders to disclose their e-mail addresses to law enforcement. Using a nonregistered e-mail address would be a violation of probation or parole. The law, if passed, would provide MySpace with more information with which to make a match. In Virginia, the attorney general pushed for similar state legislation.

Meanwhile, reports were whirling about malicious code running through the site. In one earlier case, a teenager known as “Samy” exploited a cross-site scripting vulnerability, adding a piece of code to his profile that within 20 hours infected the profiles of more than 1 million users–and garnered him more than 1 million automated requests to be each user’s “friend.” (He pled guilty and was sentenced in January.) Another worm exploited a flaw in Apple QuickTime to steal log-in credentials of users and spread spam; one security vendor estimated that one in three profiles was affected.

As a result, Nigam is now turning more of his attention to computer security issues, pulling together a dedicated group that will respond to incidents and work on education and awareness — both for MySpace engineers, who need additional training on how to write secure Web applications, and for members, who can protect themselves by installing antivirus software and firewalls and by keeping their software patched.

In the background of all this, the basic sleuth work continues. MySpace’s terms of service prohibit members from posting photos or videos that contain nudity, hate speech or illegal drug use, or ones that infringe upon copyright laws, but it’s a constant battle to keep that kind of material off the site. The 24/7 support operations team — currently about 40 percent of MySpace’s 300-person staff — manually reviews the 7 million images and videos that are posted every day. They also run searches to try to find underage users who post information, like the name of the elementary school they attend, that indicates they are not at least 14 years old. The company says it currently shuts down about 30,000 profiles of underage users each week. (Nigam wouldn’t discuss any specifics regarding copyright infringement, citing an ongoing lawsuit that was filed in November by Universal Music, which claims that the foundation of MySpace is “‘user-stolen’ intellectual property of others,” with MySpace “a willing partner in that theft.”)

Still, the reports of unsavory characters on the site continue, as attested by a quick visit to the crowded, which tracks crimes related to MySpace and other social networking sites. “I don’t think whatever security measures [Nigam] put in place are being all that effective,” says Trench Reynolds, the nom de blog of the North Carolina dad and “9 to 5-er” who runs the site in his spare time. “MySpace can only do so much on their end of things. Parents need to do a better job monitoring their kids’ activities.”

“Anytime you have users interacting in one location, eventually you’re going to have bad people show up,” acknowledges Nigam, who has a disarmingly straightforward manner when questioned about problems on the site. During an interview that lasts the better part of a workday, he manages to come across as polished without being slick, with short black hair that’s spiked up on top to minimize the thinning — the former fed trying to fit in at a company where he is at least a decade older than most of his coworkers. For him, he explains, the fact that his security initiatives are not 100 percent effective is beside the point. “There are lots of things a bad guy could do to get around systems that are in place,” says Nigam simply, his navy blazer draped over an empty chair next to him. “But from our perspective, that doesn’t mean you don’t put the systems in place. You do everything you can. You predict and you attack, you fix, you change, you make it difficult. And while you’re making it difficult, you constantly raise awareness around what’s going on.”

None of what Nigam has done, of course, is enough to appease MySpace’s critics. The copyright-infringement lawsuit filed by Universal Music, which is owned by Vivendi — another international media juggernaut — is unlikely to go away easily. In January, four more families sued MySpace for millions of dollars, claiming their underage daughters were sexually abused by adults they met on the site. The U.S. House of Representatives has passed, and the Senate is considering, legislation that would require public schools and libraries to restrict the use of social networking websites by minors. And the group of state attorneys general, threatening legal action, is not budging on what they see as the need for MySpace to institute age verification.

“All the changes they’ve made have certainly been positive, but as we’ve expressed to them, they’re not the most effective means of protecting children online,” says Chaudhuri of the North Carolina attorney general’s office. “They’re all changes on the margin and don’t focus on the critical issue of trying to distinguish the child from the adult or the adult from the child.”

Nigam hints that he would like to figure out how to solve this problem. In fact, MySpace’s partner on the sexual predators database, Sentinel Tech, says it does provide age verification. “It should be telling that we’re partnering with a company that offers that, and we’re not using that part of it,” Nigam says when quizzed. “It is extremely difficult to verify the age of people who are under the age of 18. Publicly available data does not exist. We do think parents can have a role in it, and we’re examining what can be done with parental involvement.” Soon after, MySpace announced that it was developing free software that parents could install on their home computers to monitor what name, age and location their children are using at the site.

The question going forward is whether the changes Nigam has made — and the changes he continues to push for — can actually make the site measurably safer, without making it, well, uncool. Already, MySpace’s demographic is skewing older than competing sites. According to comScore Media Metrix (which measures Internet usage), percentage-wise almost twice as many users of the competing site Xanga, which welcomes users as young as 12, are under the age of 18.

A demographic change, if prompted by increased security controls, might be the kiss of death — or it might be a blessing. “There are two arguments there,” says Openshaw from Deloitte Consulting. “If you increase the level of security and control and filtering, you might slow [the adoption rate] down, or it might increase because you make it palatable to a whole other segment of the population that might be willing to use it” — adults who want to share information with friends and family but who also want assurance of privacy and security. Already, comScore says, a surprising half of MySpace users are age 35 or older, and MySpace reports that its fastest-growing population is between the ages of 35 and 42.

Whichever way MySpace is trending, if you believe that social networking is not just a fad — that we have truly entered a world of consumer-to-consumer interaction on the Web — then you’d better hope that Nigam can find the right balance between security and commerce. “We can make these things absolutely safe and secure,” says Allen from the Center for Missing and Exploited Children, adding, “but do we then drive people into offshore versions of this that are beyond regulation?” Ones that don’t have 24-hour hotlines for law enforcement or someone in charge who is, yes, regularly willing to talk to the press when bad things happen on its site?

“If you look at the problems that they have fixed or improved, it’s very encouraging,” Allen says. “But there’s more to do, and the challenge is daunting. It’s the kind of thing that’s going to require continuing commitment, continuing dedication and continuing communication. This is one of those things that’s not going to be solved quickly.”

Nigam, for his part, is bullish that not only will his changes make the site more secure but that they’ll also improve the business. Although he likes to present what he’s doing as a public service, as if talking about making money were crass, he insists that there is a strong business benefit to his role.

“The advertisers who talk to us are saying, If your site has people who are getting victimized or hit by viruses and there are dangers there, then we don’t want to align our brand with yours,” Nigam says. “So there’s this really cool synergy between doing safety for business reasons and doing safety because it’s the right thing to do. You don’t find that in many places. The [safer it is], the greater your reputation; the greater your reputation, the more advertisers feel comfortable in talking to the 135 million people who are on the site. If you don’t do that, then you have 135 million units of overhead cost, and that’s one of the worst investments you could make.”

During a phone call weeks later, he expands on this point, saying that all the talk about the business rationale for improving security on MySpace recalled the driving rationale of his career.

“I remember my first day of training in the Los Angeles District Attorney’s office, and the deputy stood up to give us a speech about what it’s like to work in the DA’s office,” he says. “Near the end of it he said, ‘You know, one of the greatest things you’re going to find out about this job is every single day, you get to come to work and do the right thing.’ I heard that, and I was like, I guess I’m never going to leave. And so every single time I’ve gone to a new job, I go mentally through that debate of, am I going to go there to do the right thing? Coming here, I kept thinking to myself, you know, if I join I can come to work to do the right thing. Keeping our members safe, that’s doing the right thing. Keeping our site secure, that’s doing the right thing. And when we do that, it has a major business impact, and that just makes it all the better. “I’m the guy who gets to come to work to do the right thing.”


Meet Hemanshu Nigam

Name: Hemu Nigam Headline: “Safety innovation never sleeps…”

Gender: Male

Age: 42 years old

Location: Beverly Hills, CALIFORNIA

Status: Married

Hometown: Born in Kanpur, India. Raised in Connecticut.

Zodiac Sign: Capricorn Children: Four, ages 11, 10, 6 and 21 months Education: Bachelor’s degree, law degree Hemu’s Companies

Fox Interactive Media/MySpace

Chief Security Officer, 2006–present

Microsoft Various jobs, including Director of Consumer Security Outreach and Child Safe Computing for the Security Technology Unit, 2002–2006

Motion Picture Association of America VP of Worldwide Internet Enforcement, 2000–2002 U.S. Department of Justice, Criminal Division

Attorney in the Child Exploitation and Obscenity Section and the Computer Crime and Intellectual Property Section 1997–2000

Los Angeles District Attorney’s Office Deputy District Attorney, handling felony and misdemeanor cases and also serving in the sex crimes unit, where he specialized in cases involving adult rape, child molestation and child abuse 1990–1997

Hemu’s Schools Boston University School of Law Boston, Mass. Graduated 1990 Wesleyan University Middletown, Conn. Major: Political theory and government Graduated 1987

A MySpace time line

January 2004 Official site launch of MySpace

February 2004 1 million members

November 2004 5 million members

October 2005 $580 million acquisition by News Corporation

May 2006 Hemanshu Nigam hired as CSO June 2006 80 million members

— MySpace announces it will block adults from contacting 14- and15-year-olds without knowing their e-mail address or full name, make privacy settings available for all users, and block alcohol and tobacco ads for underage users

August 2006 100 million members

October 2006 — Wired reports that hundreds of registered sex offenders have created MySpace pages using their own names

December 2006 135 million members — Worm using QuickTime exploit spreads through MySpace — MySpace announces a plan for blocking convicted sex offenders from the site January 2007 — Four families sue MySpace, claiming their underage daughters were sexually abused by adults they met on the site

— MySpace announces that it’s developing free software that parents can use to monitor public information their children post at the site

February 2007 150 million members

Related Download
Real-time visibility Sponsor: Interactive Intelligence
Real-time visibility
Get real-time visibility in the contact centre. See immediate benefits. Real-time visibility in the contact centre is crucial. When you do not have the info you need to make decisions, you lose out on the single best way to create a competitive advantage. Solving this issue is simple, though.
Register Now