The shark's bleached teeth are still sharp as carving knives, its glassy stare still menacing. Nine feet long, the stuffed golden hammerhead bolted
to Michael D. Allison's office wall is a testament to his skills as a deep-sea fisherman. It's not a bad metaphor for Allison himself, either. A
41-year-old British expat and private investigator, Allison makes his living prowling the murky chambers of the Internet, hunting down Net criminals
and other bottom-feeders. "It's an adrenaline rush when you finally catch someone," he says in his well-preserved British lilt. "I love the thrill
of the chase."
Indeed, the chase never stops at Allison's company, the 10-person Internet Crimes Group in Princeton, N.J. Sleuthing for major law firms and large
companies, such as telecommunications giant Ericsson, ICG's mission is to uncover the dirty dealings of the Digital Age. ICG doesn't go after hackers.
Rather, it targets what Allison politely refers to as "troublemakers": day traders blasting false information to manipulate a stock, stolen-goods
rings selling booty from underground Web sites, or perhaps an ex-employee e-mailing a CEO death threats. "People still feel emboldened by the
anonymity of sitting at a computer screen," says Allison. "But the bottom line is that the Internet is not anonymous."
Since its founding in November, 1997, ICG says it has unmasked the real-world identities of online perpetrators in about two-thirds of its 350
cases to date. Thirty-five investigations are now active. Growing solely by word of mouth, the company projects revenues to climb 300% by yearend, to
$1.5 million. Allison figures the demand for cybersleuths will only increase in the coming years, given "all the swindles and cons moving to the
There are no film-noir backdrops or trench coats inside ICG's "war room," a cramped, stuffy office in a Tudor-style building 30 yards from the
main gates of Princeton University. Four, sometimes five twentysomething male investigators crowd in during the day, their hulking desks pushed side
by side, literally close enough to see each other's fading teenage acne. This is no jeans-and-T-shirt Web operation. Allison insists his young staff
wear ties and reminds them that "shaving is compulsory."
ICG's sleuthing system is a mix of high-tech analysis and old-fashioned brainpower. Custom software, for instance, can analyze a Web site and pull
all the message-board posts made under a single screen name. Then the group will dissect those messages for clues to a suspect's age and location,
sometimes hiring former FBI "profilers" who develop a psychological profile of the person. This firepower isn't a guarantee of success, concedes
Allison. Sophisticated Web manipulators are now using cloaking services--with such names as Anonymizer--to completely destroy their tracks.
What's more, some privacy and free-speech advocates worry that cybersleuthing, as practiced by ICG and competitors such as New York-based Kroll
Associates and DSFX in Falls Church, Va., can be used to intimidate people engaged in lawful speech or commerce. "There's a real danger that people's
anonymity will be breached for improper purposes," says Santa Ana (Calif.) attorney Daniel A. Leipold, a critic of online investigators. Allison says
his firm has refused some cases, such as "dirt digging" for political campaigns. "Before we do anything, we ask ourselves whether it's legal,
ethical--and profitable," he says.
Lawyers often enlist Allison's help when a case takes them into territory they can't traverse alone. Attorney Scott C. Oostdyk, a partner at
Richmond (Va.) law firm McGuire, Woods, Battle & Boothe, recently brought in ICG to help its client Ericsson hunt down a suspect who, it contends,
caused $100,000 in damage by maliciously crippling the company's server with 200,000 spam messages promoting a lewd 1-900 number. "We cannot possibly
know all the forensic computer techniques that they have," says Oostdyk.
First on the case was Jeff Bedser, a 32-year-old Tom Clancy fanatic who prowls the war room as its unofficial general. After the call came in last
November, Bedser and three analysts launched their investigation. Using search engines, Bedser scoured the Internet for past postings of the spam
message. He eventually found one on a dormant Web site, which happened to include a fax number from a free-faxing service. Wielding civil subpoenas,
Oostdyk unearthed registration information that the spammer gave to both the free-fax service and, later, free Internet service providers. Picking
through the registration data, Bedser recognized a pattern of similar screen names.
Bedser fed those screen names back into more search engines, unearthing instances where the online handle was attached to a real name. Then came
the clincher: Bedser entered the real identity into public databases that track real estate and business transactions. There he found that the
suspected spammer lived in the same area suggested by access records obtained from the free ISPs. Bingo. They had their man. ICG says it has sent its
findings to the local FBI office for investigation. A civil suit is also in the works.
Success notwithstanding, Allison has had his tough times getting there. While posted in the U.S. as a public information officer for the British
government, he was first recruited by Kroll, which had worked with him when it solicited information about Britain. From there he went to Sahlen &
Associates in New York, whose managers were later found guilty of accounting fraud. He left in late 1988, just months before their schemes were
revealed. He began hustling on his own, doing management background checks at bargain prices for what he describes as "fourth-rate" Wall Street
Three years later, he had graduated to doing background checks for top Wall Street firms such as Merrill, Lynch & Co. and Donaldson, Lufkin &
Jenrette. Over the next six years, he built his company, International Business Research, into a solid, if unspectacular, due-diligence firm with 10
people and revenues of more than $1 million. Then, in November, 1997, Allison got a call from a pharmaceutical company. It wanted him to investigate
an online message board on which an employee was reportedly leaking information about a new product. He caught the leaker, and saw the future. "It
was like being hit by a 2-by-4," he says. "We were suddenly in the business of becoming cybersleuths." Allison started ICG as a new unit and
recently spun it off as a separate company.
To recruit his investigators, Allison tapped into Princeton's trove of computer-savvy students. (He throws an annual open house for undergrads.)
And he's since added a few grownups, including an ex-FBI agent and an attorney.
Allison expects to double the number of employees by next year, possibly adding services to track down hackers. In a fit of hyperbole, he also
speaks of undefined plans to enter "B2B e-commerce." Allison may be getting ahead of himself there. Then again, perhaps he has learned a lesson or
two from the hammerhead on the wall: Never stop moving.
This article was originally published in the March 27, 2000 print edition of Business Week. To
subscribe, please see our subscription policy. http://businessweek.com/smallbiz/contact.htm
Dennis K. Berman