Omar Bustamante/Fusion

For the last ten months, Einar Otto Stangvik has been digitally watching people download detestable files with names like "Boy gets a mouthful," "Cute young girl fingered by mom," and "10 year old girl blows."

A former computer security consultant based in Norway, Stangvik has been spending his days monitoring file-sharing sites—hosted in what he calls "shady parts of the world"—that he suspected were being used to swap pornographic images and movies of children. He'd coded a program that scraped metadata from images shared on the sites, and logs that the sites were publishing daily about their downloads. Then, he and colleagues at the Norwegian newspaper VG began combing through their database, producing a jumble of filenames, IP addresses, usernames, and email addresses, ultimately identifying 95,000 people who'd downloaded child porn over the previous year.

"My wife found it strange at first for me to do this work," Stangvik told me. "You expect someone else to do this, that the police would do this."

Stangvik and his colleagues mapped where the downloaders were, based on their IP addresses, to generate the visualization below. The team also reached out to ten of the Norwegians on the list, seven of whom admitted to having downloaded the underage nude photos and videos. The men had a variety of excuses as to why they'd done it, but all swore they would stop after being confronted.

"You'll never, never find me again on such sites," says a married father, whom the paper left anonymous.


A disturbingly beautiful visualization of the world of child porn downloads

Stangvik is one of a new breed of "digilantes" who are using their technological skills to pursue citizen justice for internet-based crimes when official law enforcement agents can't—or won't—investigate themselves. Like the Western frontier of the 1800s, the internet is a place where the tools and abilities of criminals often outpace the capabilities of those chasing them. But rather than going after rustlers who have stolen cattle or cheated at poker, these vigilantes pursue people and companies who have stolen photos, information and privacy from innocent victims online.

"People are taking matters into their own hands and large communities form around them," says Gabriella Coleman, an academic who has written extensively about the vigilante group Anonymous. "When it comes to certain forms of Internet-based harassment and porn, police are so ill-equipped to deal with the problems. This is filling the vacuum."


Einar Otto Stangvik at the VG office

Some digilantes are willing to break the law in pursuit of justice, like the unknown hacker who broke into people's home routers to alert them they were insecure. Or "Phineas Fisher," an anonymous hacker who broke into the corporate servers of surveillance companies selling spy tech to repressive regimes. It caused a massive hit to the reputation of the professional security firms, and exposed their doing business with Sudan, despite an arms embargo on the country.

I'll writeup how hacking team got hacked once they've had some time to fail at figuring out what happened and go out of business

— Hack Back! (@GammaGroupPR) July 7, 2015

But most digilantes simply do this work as a charitable side hobby—like Clark Kent donning the Superman cape after clocking out at the Daily Planet. That's how Stangvik started out. Looking for the people posting despicable photos online was something he did in his spare time before he took down a guy that got a newspaper to notice what he was doing and hire him.


The targets of digilante justice can be varied. Adam Steinbaugh, a law clerk in California, has spent the last several years unmasking the proprietors of so-called "revenge porn" sites, where nude photographs of people (usually women) are posted by their exes without their consent. In Sweden, a group of researchers hunt down and confront internet harassers and trolls, and broadcast their confrontations on TV. And a multinational group of technologists and activists partnered with Canada's Citizen Lab, kiddingly calling themselves the "digital justice league," while identifying and exposing companies selling malware and spying software to repressive regimes around the world.

“We very rarely meet in person because we’re geographically spread out," said the Electronic Frontier Foundation's Eva Galperin, who helps the group find victims. "We email each other and IM each other. It's not unusual for my phone to make noises in the night because someone in a ridiculous time zone just got malware.”

One thing that unites digilantes is frustration with traditional law enforcement vehicles, which they feel are too antiquated and technically inept to adequately defend the victims of internet crime. Even with child porn, which does get massive attention from law enforcement, there are still shady markets for the stuff being overlooked by authorities. "[Our work] is just as much a cry out for more funding and continued technical advancement of the police," says Stangvik.


"I spend a lot of night and weekends on this," Morgan Marquis-Boire told me last year. A technologist who started his 'digital justice league' work while employed as a security engineer at Google, like Stangvik, he's since joined a news outlet, The Intercept. "There’s a psychological strain to digital activism. You feel like what you’re doing isn’t real. There are people on the ground facing oppression and you’re just sitting in front of your computer."

[Disclosure: Galperin and Marquis-Boire serve on the technical advisory board of the Freedom of the Press Foundation, a non-profit where my partner serves as executive director.]

Of course, giving ordinary citizens the right to dole out internet justice has its risks. Self-appointed vigilantes like Chuck C. Johnson have drawn wide criticism for taking vigilantism too far, such as revealing the identity of the accuser at the heart of the Rolling Stone’s deeply-flawed UVA rape story. The people who hacked Ashley Madison and Sony Pictures also claimed to be motivated by a higher moral purpose. "Learn your lesson and make amends," wrote the Ashley Madison hacker when releasing the list of the site's users.


In his book Vigilant Citizens, Cambridge University lecturer Ray Abrahams gives examples of vigilante groups going overboard. He writes of a group of Tanzanian vigilantes in the 1980s who went after cattle thieves when state officials failed to, but also went after—and sometimes killed—“witches” who were suspected of dabbling in dark magic.

In Order Without Law, a book on rural, extralegal justice that focuses on how cattle farmers in Shasta County, California handled other people's cows wandering onto their land, Robert Ellickson notes that part of the reason the system works is that "rural residents deal with one another on a large number of fronts, and most residents expect those interactions to continue far into the future…. Thus any trespass dispute with a neighbor is almost certain to be but one thread in the rich fabric of a continuing relationship."


But digilantes are not operating in small communities, where they might have accountability to their neighbors. They are usually policing strangers, sometimes a world away, and because they are acting on a global scale, their punishments can go viral, moving far beyond the borders of the community in which the wrongdoing occurred. We see that happen with shaming mobs, who act as norm-policing vigilantes; it was in stark relief during the social media onslaught against Minnesota dentist Walter Palmer after he shot a lion in Zimbabwe named Cecil. The vigilante justice quickly evolved from an airing of condemnation on social media to an attempt to destroy the dentist's livelihood by permanently staining his online reputation, ruining his Yelp page and picketing his office.

From Walter Palmer's Yelp profile, where his dentistry office now has one star

"Shaming occurs in the absence of due process," wrote legal scholar Eric Posner in Slate. "[P]eople are often punished in a way that does not reflect the severity of their conduct. Law displaced shaming because such a chaotic system can do as much harm as good."


Like the vigilantes of old, who worried about getting in trouble for beating and even killing people, modern vigilantes who illegally hack usually try to keep their identities hidden, like Phineas Fisher. Sometimes they even try to keep their activities secret, as with banks who, according to the FBI, are beginning to illegally hack back as revenge and deterrence after being compromised. But cyber vigilantes who do their work with public shame and exposure, are usually fine with their identities being known, even as what they do is becoming increasingly controversial.

Stangvik, the child porn digilante, started out as a dabbler in online justice before deciding he needed to be doing it full-time. Two years ago, he was working for a software company as a security engineer and set up his monitoring program on anonIB and 4Chan's infamous /b channel and soon started finding photos of scantily clad women, with the posters bragging that they'd secretly stolen the images from the women's iCloud accounts. (This was a year before the same thing happened to Jennifer Lawrence and other celebrities.) Stangvik contacted the Oslo police, hoping they'd alert the women that their nudes had been hacked.

"But the police did nothing and found my behavior weird," Stangvik told me last year. "They recommended I reach out to the women directly."


So Stangvik did his own investigation, paying an anonIB site administration $200 to take down the women's photos and give him the IP addresses of those who had posted them. He went to work on forensics, gathering enough clues about one of the posters to identify him as a young and prominent member of Norway's Conservative Party.

After Stangvik took his evidence about the political figure to a newspaper, it published a story about the politician's activities, and police charged him. The politician hacker resigned and got a two-month prison sentence (four months shorter than the time Stangvik spent tracking him down).


"I’ve been a consultant and a programmer for 15 years," Stangvik told me. "I had the right skillset. I felt a need to contribute because I could contribute.”

Still, even with a vigilante victory under his belt, he was left disturbed by the experience, and the power he'd had to intervene in a stranger's fate.

"Members of the public shouldn’t do the police’s work," Stangvik told me last year. "If I out the wrong person, I destroy his life."