By Karen Rouse
The Princeton Center for Information Technology Policy is known for its research on artificial intelligence, privacy and security and the internet. But as critical to the center’s mission of studying digital technologies for the good of society, is training. In the last year, CITP partnered with The State Center — a non-partisan, non-profit that offers training and educational support to states’ Attorneys General (AGs) — on an ambitious project to train AG staffers and investigators on how to navigate the internet, recognize fake sites and spot online scams that trick and ensnare consumers daily.
AGs have a long history of investigating mail and phone scams, but with the swift rise in online crimes, they need new investigative tools to protect consumers, said Mihir Kshirsagar, CITP’s Tech Policy Clinic Lead who spearheaded the project known as “Tech 101.” Kshirsagar’s past experience as lead trial counsel in the New York Attorney General’s Bureau of Internet & Technology helped inform the program; he taught the first two classes with CITP graduate researcher Anne Kohlbrenner, a computer scientist with expertise in web security, before handing her the reins.
“AGs are the front line of protecting consumers against scams, but are sometimes intimidated by the technical details of how they are carried out online,” said Kshirsagar, who also sits on The State Center’s board. “Our training demystifies the internet and gives them the foundation to use new investigative tools effectively.”
The first Tech 101 class was held at the Washington, D.C. headquarters of The National Association of Attorneys General (NAAG) in November 2022, and covered the topics of internet infrastructure, security and privacy, and data gathering. A second training was held at the New York Attorney General’s office. It was so well received, Kohlbrenner took the CITP project on the road to 10 additional locations, including the cities of Raleigh, Indianapolis, San Francisco, Boston and Hartford, as well as to sites in Utah and Arizona.
“We had a really positive reception,” said Kohlbrenner, noting that as many as 25 attorneys, investigators and other staff participated in each training. “Participants were often excited to have been able to understand something that seemed mysterious before. Sometimes they tried out the techniques right away on a website they were investigating.”
Kohlbrenner also shared insights into how to inspect a website or app to figure out what data it is collecting from users; and how to investigate a website’s claims that it protects the privacy of the people who visit it. The AGs also considered questions like, “How are communications protected?” and the differences between the “Deep Web” and the so-called “Dark Web.”
In all, 12 training workshops were held across the country, supporting more than 200 attorneys and consumer affairs agents.
CITP Communications interviewed Kohlbrenner about the experience in the following Q and A:
What is your tech expertise, your academic background and research focus?
My undergrad degree is in computer science and my early research experience was in security. At CITP, I’ve worked on Mozilla Rally and WebScience, our platform and toolkit for democratizing access to browser-based research.
How did you get involved in this training?
Mihir saw a need among state AGs for education in online threats and investigatory tools. That kind of training can be hard to come by and he thought CITP was a natural organization to provide it. We’d worked together on some education projects before, and he knew about my plans to go into teaching, so he asked whether I’d be interested in working on creating this training.
Who are your collaborators or partners?
Mihir at CITP, and Anne Schneider at the State Center. The National Association of Attorneys General (NAAG) also helped us put together the first pilot workshop.
Can you say how it is funded?
The State Center, a nonpartisan nonprofit that works to support state AGs in their consumer protection and antitrust work, provided the funding.
What is the goal or goals with this training? For instance, you’ve talked about giving people language where they don’t have vocabulary.
One of the main goals was to demystify computers and the Internet in general. I think the media has given many people the impression that computers are magical black boxes that only “tech geniuses” can possibly understand. That’s just not true, but the perception makes people think it isn’t worth trying to understand.
Part of my goal is to show people that they really are capable of understanding how computers and the internet work so that they have the confidence, tools, and vocabulary to continue that exploration in the future.
How did you decide what to teach?
Each training has a total of three modules, chosen partly through necessity and partly tailored to what Mihir saw AGs needing. We start with internet infrastructure, which gives participants the essential background that they need for the other modules. The security and privacy module covers a few things that AGs often deal with, like the kinds of data in data breaches, how tracking works, and practical security advice.
Finally, the data gathering module is intended to give them general purpose tools for investigations: ways to find information about who runs a scam website, how to discover privacy violations, and ways to look inside a website to understand how it works.
Do they get a certificate for going through the course?
Several offices applied for and received authorization to use the course for continuing legal education, so their lawyers used it to satisfy part of their annual continuing legal education requirement.
When you speak to a group, what common elements do you find among your audience? For instance, are they all people with a computer science background?
Most participants have very little tech background — lots of lawyers. Several offices sent their whole consumer protection division, so it was a mix of people working on different kinds of things. Often they’d worked on a lot of cases that involve the internet to some extent, but they didn’t know much about how the modern Internet works or how to go beyond the “surface view” to understand how the underlying tools work.
How did you choose where to start in the subject matter, what topics to hit on?
The workshops started from the assumption that people had used computers, but had no particular tech background, so I explained things from scratch. We identified a handful of topics that we knew we wanted to cover, so a lot of the material was just building up to being able to explore those topics.
Often people had heard some of the terms — VPN, IP address, encryption — but they didn’t know what they really meant, or they had misconceptions from the way these things are portrayed in movies.
What types of scams are they telling you are most common?
I heard about a lot of privacy concerns, as well as data breaches. Several offices mentioned criminal cases where they were worrying about VPNs and attributing responsibility.
Can you describe how this training helps them to fight scams or other crimes?
The tools we discussed can be useful in understanding what a website is doing (detecting privacy violations or dark patterns), and in discovering information about who runs a site. Several offices were also very interested in practical security advice that they could give to consumers, or even use themselves.
Have you had to change the lesson plans as you go along?
I didn’t have anything about AI at the beginning, but tools like ChatGPT took off as the program went on, so by the end I added a very short section about the different kinds of tools, what they’re used for, and what concerns they raise. They all got a huge kick out of the story of a lawyer who used ChatGPT to write a brief and got sanctioned by the judge because the ChatGPT output included made-up cases. An excellent cautionary tale!
Has anything surprised you about the course or the “students?”
I hadn’t initially understood the differences between state AGs; I’d assumed they were all roughly the same, but they can differ in how much criminal jurisdiction they have. Some offices were very focused on privacy, while others didn’t seem to be thinking about it much. Factors like those changed the flavor of questions that participants asked and I didn’t initially understand why different offices were approaching the same topics from such different angles.
The diversity in experience between participants was also interesting. A funny interaction that I saw a couple times was that after I talked about passwords and password managers, someone would ask whether there was a password manager I recommended that they use, and someone else would say, “Seriously?! Our office has a subscription to a password manager, and I’ve been trying to get you all to use it for years!”