The shark's bleached teeth are still sharp as carving knives, its glassy stare still menacing. Nine feet long, the stuffed golden hammerhead bolted to Michael D. Allison's office wall is a testament to his skills as a deep-sea fisherman. It's not a bad metaphor for Allison himself, either. A 41-year-old British expat and private investigator, Allison makes his living prowling the murky chambers of the Internet, hunting down Net criminals and other bottom-feeders. "It's an adrenaline rush when you finally catch someone," he says in his well-preserved British lilt. "I love the thrill of the chase."
Indeed, the chase never stops at Allison's company, the 10-person Internet Crimes Group in Princeton, N.J. Sleuthing for major law firms and large companies, such as telecommunications giant Ericsson, ICG's mission is to uncover the dirty dealings of the Digital Age. ICG doesn't go after hackers. Rather, it targets what Allison politely refers to as "troublemakers": day traders blasting false information to manipulate a stock, stolen-goods rings selling booty from underground Web sites, or perhaps an ex-employee e-mailing a CEO death threats. "People still feel emboldened by the anonymity of sitting at a computer screen," says Allison. "But the bottom line is that the Internet is not anonymous."
Since its founding in November, 1997, ICG says it has unmasked the real-world identities of online perpetrators in about two-thirds of its 350 cases to date. Thirty-five investigations are now active. Growing solely by word of mouth, the company projects revenues to climb 300% by yearend, to $1.5 million. Allison figures the demand for cybersleuths will only increase in the coming years, given "all the swindles and cons moving to the Internet--billions worldwide."
There are no film-noir backdrops or trench coats inside ICG's "war room," a cramped, stuffy office in a Tudor-style building 30 yards from the main gates of Princeton University. Four, sometimes five twentysomething male investigators crowd in during the day, their hulking desks pushed side by side, literally close enough to see each other's fading teenage acne. This is no jeans-and-T-shirt Web operation. Allison insists his young staff wear ties and reminds them that "shaving is compulsory."
ICG's sleuthing system is a mix of high-tech analysis and old-fashioned brainpower. Custom software, for instance, can analyze a Web site and pull all the message-board posts made under a single screen name. Then the group will dissect those messages for clues to a suspect's age and location, sometimes hiring former FBI "profilers" who develop a psychological profile of the person. This firepower isn't a guarantee of success, concedes Allison. Sophisticated Web manipulators are now using cloaking services--with such names as Anonymizer--to completely destroy their tracks.
What's more, some privacy and free-speech advocates worry that cybersleuthing, as practiced by ICG and competitors such as New York-based Kroll Associates and DSFX in Falls Church, Va., can be used to intimidate people engaged in lawful speech or commerce. "There's a real danger that people's anonymity will be breached for improper purposes," says Santa Ana (Calif.) attorney Daniel A. Leipold, a critic of online investigators. Allison says his firm has refused some cases, such as "dirt digging" for political campaigns. "Before we do anything, we ask ourselves whether it's legal, ethical--and profitable," he says.
Lawyers often enlist Allison's help when a case takes them into territory they can't traverse alone. Attorney Scott C. Oostdyk, a partner at Richmond (Va.) law firm McGuire, Woods, Battle & Boothe, recently brought in ICG to help its client Ericsson hunt down a suspect who, it contends, caused $100,000 in damage by maliciously crippling the company's server with 200,000 spam messages promoting a lewd 1-900 number. "We cannot possibly know all the forensic computer techniques that they have," says Oostdyk.
First on the case was Jeff Bedser, a 32-year-old Tom Clancy fanatic who prowls the war room as its unofficial general. After the call came in last November, Bedser and three analysts launched their investigation. Using search engines, Bedser scoured the Internet for past postings of the spam message. He eventually found one on a dormant Web site, which happened to include a fax number from a free-faxing service. Wielding civil subpoenas, Oostdyk unearthed registration information that the spammer gave to both the free-fax service and, later, free Internet service providers. Picking through the registration data, Bedser recognized a pattern of similar screen names.
Bedser fed those screen names back into more search engines, unearthing instances where the online handle was attached to a real name. Then came the clincher: Bedser entered the real identity into public databases that track real estate and business transactions. There he found that the suspected spammer lived in the same area suggested by access records obtained from the free ISPs. Bingo. They had their man. ICG says it has sent its findings to the local FBI office for investigation. A civil suit is also in the works.
Success notwithstanding, Allison has had his tough times getting there. While posted in the U.S. as a public information officer for the British government, he was first recruited by Kroll, which had worked with him when it solicited information about Britain. From there he went to Sahlen & Associates in New York, whose managers were later found guilty of accounting fraud. He left in late 1988, just months before their schemes were revealed. He began hustling on his own, doing management background checks at bargain prices for what he describes as "fourth-rate" Wall Street brokerages.
Three years later, he had graduated to doing background checks for top Wall Street firms such as Merrill, Lynch & Co. and Donaldson, Lufkin & Jenrette. Over the next six years, he built his company, International Business Research, into a solid, if unspectacular, due-diligence firm with 10 people and revenues of more than $1 million. Then, in November, 1997, Allison got a call from a pharmaceutical company. It wanted him to investigate an online message board on which an employee was reportedly leaking information about a new product. He caught the leaker, and saw the future. "It was like being hit by a 2-by-4," he says. "We were suddenly in the business of becoming cybersleuths." Allison started ICG as a new unit and recently spun it off as a separate company.
To recruit his investigators, Allison tapped into Princeton's trove of computer-savvy students. (He throws an annual open house for undergrads.) And he's since added a few grownups, including an ex-FBI agent and an attorney.
Allison expects to double the number of employees by next year, possibly adding services to track down hackers. In a fit of hyperbole, he also speaks of undefined plans to enter "B2B e-commerce." Allison may be getting ahead of himself there. Then again, perhaps he has learned a lesson or two from the hammerhead on the wall: Never stop moving.
Do you know what to do if your company's reputation is attacked online? For tips, click Online Extras at frontier.businessweek.com