It’s a funny name, but "sextortion" is a serious issue cascading through the digital world. It has serious consequences for its victims, and it needs serious solutions from government, business, and society.

So what exactly is sextortion? It’s a sex crime in which a perpetrator blackmails a victim by acquiring personal information - typically pornographic images of that victim - and then demanding more under threat of posting those images in the public sphere. The perpetrator grows stronger and more manipulative as the victim turns over more material, in secrecy, over time. Unimaginable for most of us, the practice is sadistic, cultivates fear, and exerts torturous control over the victim.

It usually starts through social engineering or hacking - not dissimilar to how many businesses fall victim to bad actors - and it’s something about which the general public knows very little. Really, sextortion is a symptom of a much larger cybersecurity issue involving education and awareness. We may need to alter common privacy practices to combat it, pass federal and state bills to give prosecutors and law enforcement the tools they need to fight it, and provide victims with the assurance that they will be protected. 

I learned a bit about this Wednesday during a webcast discussion hosted by the Brookings Institution’s Benjamin Wittes, along with Prof. Danielle Citron and Attorney Carrie Goldberg. The discussion was timed with the release of two reports (here and here) from Brookings on sextortion, both of which are sure to have a positive influence on public policy.

Without a doubt, my eyes were opened to a number of incredibly disturbing issues that we, as a society, must address.

This blog has discussed many forms of online harassment in years past – from online shaming to trolling to nonconsensual pornography. Sextorion is one more nefarious bit of negative human behavior we have to add to this digital mix.

Like the other examples above, sextortion is not just a fringe issue affecting an unfortunate few.

In fact, it’s difficult to assess how common it is because of the very nature of the crime. Unlike nonconsensual pornography, trolling, and online shaming, all of which derive their effectiveness from public damage to the victim’s reputation, sextortion is dependent on secrecy. Citron pointed out that cyberharassment is predicated on reputational damage – sending images of the victim to their work colleagues, for example – whereas sextortion “is designed to be secretive” and to “enslave the victim.” The perpetrator only uses the threat of exposure to maintain control over the victim.

Though reports indicate sextortion may be increasingly common, it is rarely prosecuted. The Brookings report reviewed 78 recent cases in the U.S., 63 of which were prosecuted at the federal level, 12 at the state level, and three were foreign prosecutions. Together there were 1,397 victims in the 78 cases, but according to the best estimates of Brookings, the actual number of victims may be as high as 6,500. That's because sextortionists tend to be repeat offenders and victims do not want to disclose the privacy invasion. In 13 of the cases, prosecutors concluded there may have been as many as 100 or more victims per perpetrator.

Notably, every one of the perpetrators was male and nearly every victim was female. For minors, 70 percent were girls and 30 percent boys.

How does sextortion start? For minors, much of it stems from social media manipulation. For adults, nearly half of it derives from invasive computer hacking.

“This report is going to help so many victims,” Goldberg said during Wednesday’s webcast. She knows a thing or two about victims of sextortion. As a civil attorney, she represents many of them.

Part of the problem for victims is the lack of awareness by law enforcement. “I often find that clients go to local law enforcement and are turned away,” she said. “When law enforcement hears ‘Internet’ or ‘sex video,’ they shut down.” She points out that police often lack the skills, tools, training, or staff to investigate these cases. In fact, they’ll actually tell the victim to investigate. “And that’s a catch-22,” she said. “It’s the victims who need law enforcement to do that for them.” Plus, Goldberg said she often must negotiate with police to not charge the victim with a crime for making and sharing images of themselves in the first place.  

To help represent victims, Goldberg and her team exercise what she calls some “cyber-sleuthing.” Victims often do not know who the perpetrator is, so it’s up to her and her team to uncover – or de-anonymize – the criminal. They make sure the victim’s phone isn’t tapped, and they collect as much evidence – emails, texts, screen shots, phone numbers, you name it – to help unmask the offender.

This is where tech companies and ISPs come in. She said it’s hard to get access to individuals via ISPs – hopefully because of solid privacy practices. However, Goldberg pointed out, Facebook, for example, has forms for law enforcement to fill out when applying a subpoena, but no such streamlined process is available for civil attorneys. She did say ISPs are usually responsive once a lawsuit on behalf of the victim has been filed. This, too, is tricky. Victims of heinous sex crimes don’t want to be identified. So a civil suit is usually filed on behalf of Jane Doe. 

How do we design privacy policies to be flexible enough to accommodate these kinds of criminal investigations? And, how do these policies not turn into the same kind of victim blaming that often comes with similar sexual assault issues in the "off-line" world? So often, victims have to jump a high bar to prove they were victimized. This often prevents them from coming forward. Remember, too, that Golderberg often has to negotiate with police to stand down from charging the victim for the initial image.  

Here's a typical fact pattern: Goldberg said two strangers may meet in an online chat room, or some platform that allows for anonymity. They develop a relationship. The perpetrator may then introduce another stranger (often the same person with a different online identity) to further cultivate trust. This “pre-vetted” second stranger, after a while, then pressures the victim to be sexual – for instance, to strip on Skype. The victim then gives in and receives a message saying, “I bet you wish you hadn’t done that.” The perpetrator then begins blackmailing the victim for more extensive sexual imagery – some of which will not be described on this blog.

“I’ve seen heinous things,” Goldberg said. “It’s the most malicious and sadistic pattern of behavior I’ve ever come across.”

This is where the law comes in. A strong federal law would not only make such a practice a crime, it would prompt important triggers to help victims. As Brookings points out, there are federal sex crime and extortion laws currently on the books, but there are disparities that allow "similarly-culpable perpetrators" to receive vastly different sentences, and victims a sense of injustice. Citron also pointed out to me that state laws addressing sextortion are needed as well, as current laws don't capture such crimes adequately. The second Brookings report fleshes this complicated matter out more fully here. 

“Law is our teacher,” Citron said. “It educates us and helps shape our cultural attitudes.” Plus, she added, it gives prosecutors the tools they need to investigate incidents so victims feel more confident going to the police. And Goldberg said federal law also acts as deterrence. She said such a law would help law enforcement build a budget for educating officials, and purchase tools to uncover anonymous perpetrators.

In an email exchange, Citron also emphasized to me how important it is for kids to feel like they can trust adults. "Somehow we need to work on conversations to ensure that kids don't feel shame for producing the material," she wrote. "Secrecy is what sextortionists thrive on so trust is key to break down that secrecy." That trust is often challenged by those who could be protecting the victim. 

A lesson in sextortion is also a lesson in cybersecurity, something Wittes pointed out during Wednesday’s conversation. The two main catalysts are social engineering and hacking. These are vulnerabilities organizations large and small, public and private, are facing every day. As Wittes noted, “We tend to think cybersecurity involves victims that possess significant power, and we look at teenagers as not attractive targets. They don’t have money or data worth stealing.” But sextortion proves teenagers, for example, are rich targets. They have contact lists of their friends, each of whom can be further exploited by serial sextortionists. 

“We have defined cybersecurity much too narrowly,” Wittes said. “We must understand that truth.”

As a result, educating children and adults about digital hygiene is paramount. Strong passwords, two-factor authentication, avoiding suspicious emails and attachments, being careful on anonymous platforms, and not trusting online personalities: These all need to become commonly understood, practiced, and, if possible, built in to products and services. 

I highly recommend the two Brookings Institution reports. Though, on the surface, it may sound like a crazy, fringe topic, sextortion is real, pervasive, and damaging – especially to women and children.

True, this is cliché, but Louis Brandeis has said sunlight is the greatest disinfectant. A general awareness of sextortion and the harm it causes will hopefully help victims feel more confident about coming forward to prosecute their tormentors; get police the budgets, tools, and skills they need to go after perpetrators; start parents and teachers down the path of educating children about digital hygiene and privacy; and get businesses thinking about ways they can build in protections and education into their products and services.

photo credit: Work Work Work [54/366] via photopin (license)