Kevin Poulsen is a senior editor at Wired News where he has covered MySpace, computer security, and blogging, among other topics. Poulsen joined Wired News in May 2005 after five years as the editorial director of SecurityFocus, a Web-based computer security publication. Prior to that, he freelanced for Wired magazine and several Ziff Davis publications and was a columnist for TechTV. In his teens and early twenties he was a hacker.
Liz Cox Barrett: Before we get to your current Wired piece — “MySpace Predator Caught By Code” — can you talk about your transition from hacker to reporter (including how you arrived at your hacker handle, Dark Dante)?
Kevin Poulsen: Well, I was 16. That was a long time ago. I couldn’t tell you how I arrived at that name.
LCB: So, the transition from hacker to reporter?
KP: When I got out of jail, I was restricted from using computers for a time and I’d always had an interest in writing …
LCB: Can you explain how you landed in jail? CNN described it this way: “Dark Dante … served time in prison for his misdeeds, including commandeering the phone lines of a radio station to guarantee he was the caller who would win a Porsche.” Does that about sum it up?
KP: I was a phone hacker … At one point I used that access to cheat a radio phone-in contest. There was a Porsche and trips to Hawaii and lots of cash.
LCB: How old were you at that time?
KP: It all ended when I was in my early 20s.
LCB: Back to your transition from hacking to journalism.
KP: Right. For a time I was not allowed to use computers, which was my only other skill [besides writing]. I wound up taking a columnist gig with the Web site of what was called at the time ZDTV, later called Tech TV. Then I went from that to doing freelancing at Wired and some Ziff Davis publications. By that time I was allowed to use computers. I joined the staff of a start-up company called SecurityFocus, which was a computer security publication on the Web. I was the editorial director for five years…. I returned to freelancing and two months later started here at Wired.
LCB: Are the two pursuits (hacking and reporting) as different as they seem at first blush? Which skills have been transferable?
KP: I think there’s some overlap in that the prime mover in hacking is curiosity and inquisitiveness and asking questions, basically, in one form or another, which is also the essence of journalism.
LCB: On to your Wired story. In a nutshell, you wrote an automated script that searched MySpace profiles for registered sex offenders. You located several hundred offenders but focused on one guy who was actively corresponding with young teens. You tried to contact the guy and some of the teens he was talking to and no one responded. You contacted the Suffolk County Police Department, shared this information, their computer crime unit opened an investigation and you agreed to hold your story until that investigation was complete. In the end, the guy served jail time.
KP: He’s in jail now but they wound up, because of a New York State Appellate Court decision, being able to charge him only with a misdemeanor, so his maximum sentence is 90 days.
LCB: So what was the genesis of this story? What was your plan at the start, your intention for it?
KP: We ran a story in April by a freelancer named Jenn Shreve, where she reported that by typing in a bunch of names from California’s sex offenders registry at random on MySpace she found seven registered sex offenders. There wasn’t much more to it than that. It begged the question, if you were to do something more thorough and systematic how many could you find? And more importantly what would they wind up being up to, if anything? What are they doing on MySpace?
So the National Sex Offender Registry run by the Department of Justice is a perfect tool for doing this kind of analysis. There are fifty different sex registry Web sites, each state has one, they all use different formats and catalog and produce different kinds of data but the DOJ site knows how to talk to all of them and presents you with some information in … a uniform manner. I wrote a program that went through the DOJ site and ran every zip code basically, moving across the country from east to west.
LCB: What did you envision as the end result?
KP: It was an experiment, an inquiry, so I didn’t really have any expectations. It turned out that there were lots of potential hits, something like out of 400,000 entries in registry, I got something like 40,000 MySpace profiles that came back as a match based on the automated portion of my search (names, zip codes). Taking a glance at some, it was clear that most of those I wasn’t gong to be able to make a positive determination that it was the same person …. I halved the potential results by excluding MySpace profiles where the user had not selected a default photo for the profile on the theory that it meant they were less likely to have other photos and perhaps weren’t even terribly active users. That left me with about 20,000 profiles and then I had to go through them manually.
To make the matches I relied primarily on photographs. MySpace is very photo-heavy and people post all sorts of pictures and the sex offender registries tend to have mug shots of offenders so it was fairly easy to make a positive match just by seeing they were the same person — and that’s in addition to the fact that their names matched, their zip codes matched, their ages matched, in some cases they had their zodiac signs on their profiles, in some cases exact birth dates were provided. There were a few tough cases where before I was able to make a positive match I had to go through their public message board posts and find references to where they worked. And that would also be listed as their place of employment in the sex offender registry.
LCB: Sounds pretty labor intensive.
KP: It took several months, it was just a part-time effort. In the end it produced 744 matches — that was after having gone through one-third of the data, about 7,000 profiles.
LCB: So again, what was your intention for this story? What did you expect to do or what did you expect would result from your analysis?
KP: I didn’t set out to bust anyone, if that’s what you’re asking.
LCB: You must have considered the possibility.
KP: I really didn’t consider that possibility. I didn’t go in with any assumptions. I went in to see what I would find. One thing I was hoping to do was to hear from sex offenders and get their own words on what they are using MySpace for. For the innocent ones, if there were any, I was interested in whether they felt vulnerable being a sex offender on MySpace given the amount of cases of predation linked to the site. It’s like an ex-shoplifter going into a store and being convinced everyone is watching him. I sent out of bunch of messages to some of the matches and I never got any responses. There were lots of ways this story could’ve turned out depending on what I found.
LCB: Your editors also had no particular plans for this story, no particular intentions?
KP: It’s hard to make plans for this kind of story until you’ve done the reporting.
LCB: You, in effect, worked hand-in-hand with the police department to put someone behind bars, which is somewhat unusual for a journalist.
KP: I’m not sure I’d put it that way.
LCB: So how do you describe what you did? Proactive journalism? Or what?
KP: Like I said, I didn’t start off looking for people to report to the police, but when I found Lubrano [the man eventually arrested] I found his activity disturbing. I didn’t rush to the phone and call 911. My first move was to send him a message to try to get an interview. When he didn’t respond and the kids corresponding with him didn’t respond, then the question was, ‘What next?’ At that point, I was at least a month away from having a story. Eventually I’m going to call the police that cover [Lubrano’s] jurisdiction to get a comment. Do I wait until I’m closer to publishing and what’s the purpose of that? Given that [Lubrano] appeared to be actively trying to meet young people I thought this is a call I’m going to make sooner or later in course of reporting, in the interest of being socially responsible, I’ll make that call now.
LCB: Did you have any qualms as a reporter about working in concert with authorities [like that] to, eventually, put someone behind bars?
KP: Generally, the whole story isn’t the kind of story I normally do. My last piece on MySpace was an attempt to deflate what I thought was a lot of the hype over the site being unsafe. That is much more in tune with my personality. Just because it was not in my normal experience in the beats I cover to call the police … I don’t think saying I had qualms about it would be accurate … I have called law enforcement in stories before.
It wasn’t the first time I got someone arrested. There was a hacker named Adrian Lamo, who had a long history of breaking into corporate networks, pulling some sort of harmless and clever hack, and then calling the press and telling them about it. I reported on him extensively and when he hacked into the New York Times Web site a couple of years ago I broke that story and he was indicted for it and arrested. He turned himself in.
LCB: Did your past in hacking help you get that story?
KP: I never understood anything of [Lamo’s] motivations.
LCB: Are you familiar with NBC’s Dateline series, “To Catch a Predator?” Are you a proponent of such projects?
KP: I have to say I always find those things kind of distasteful. It feels like a tabloid freak show, let’s bring in these people, display them on camera, set up crimes that might not otherwise have taken place.
LCB: What are your thoughts on how the press at large covers/has covered MySpace?
KP: There was a time, any story with any kind of possible MySpace connection would be linked to MySpace in the reporting. For example, the murder victim has a MySpace profile, the profile might be mentioned in the reporting and even made to sound like it had some role in the crime when it didn’t. Just as a natural part of the way reporting works, we saw that every incidence of sexual predation in which there was a nexus with MySpace, [that nexus] would be reported on, when had the exact same crime taken place through another medium, it wouldn’t be newsworthy at all. This led to a perception that MySpace is creating more crime …. When that’s not necessarily true.
Novelty is news …. Statutory rape, child molestation, these crimes are no longer the subject of headline news they’re so common but when the same thing started happening with MySpace involved that made it fresh again..
LCB: And creates an impression that MySpace is inherently bad.
KP: Right, which I don’t believe. I believe MySpace is good.
LCB: Wired published this morning the code, the automated script you created to search MySpace profiles for registered sex offenders. What might someone use that for?
KP: We’re releasing it primarily as part of a transparency-in-reporting ethic. You want to show how we did it. I’ve gotten a lot of requests from law enforcement for the code and I’m not comfortable just sending copies of this to people who ask and picking and choosing among requests so this takes the pressure off there as well. People can see what I did and how I did it. Other reporters can reproduce it if they choose to. We’ve gotten a lot of inquiries from local press who want to do it for their community, perhaps just a handful of zip codes. If they have geeky enough people on their staff they’ll be able to do that with this code — assuming, of course, that nothing changes, that neither MySpace nor the DOJ takes some action to try to stop automated searches.
LCB: Any concerns about doing this, about possibly promoting vigilantism of some sort?
KP: Yeah, I am worried about that. We’re going to put clear disclaimers in all caps saying first that the code itself won’t give you a list of sex offenders with MySpace profiles. It has a huge false positive rate. Anyone who tries to draw any conclusions just by running the code without doing the footwork is getting bad results. That’s the most important thing.
And it’s actually a crime under most states’ Megan’s Laws to use the sex offender registry to harass ex-offenders. These are generally people who have done their time and you’re not allowed to abuse this information… In my model MySpace would use the registry in the same way that we used them just to be aware that there are people in the community with a certain kind of history and then keep an eye on them.