Police in Biloxi, Mississippi received a disturbing report in the summer of 2011: someone using the e-mail address dalton.powers1@yahoo.com had been contacting young girls in the area through Facebook. "Dalton" said he was new to Biloxi and was looking for friends. When girls aged 9-16 responded, he struck up conversations. These led quickly to a question game in which he asked the girls about their bra sizes, sexual experiences, and bodily imperfections.

When girls responded, Dalton then demanded that they go further and send him topless images. If they did not, he would take the information provided by the girls themselves and send it to their parents, friends, and school officials. Numerous girls complied, though some could only bring themselves to pose in their underwear. Nearly every shot came from the cameras on the cell phones each girl owned.

Of course, a single picture wasn't enough. Dalton demanded that those in their underwear send him topless shots, that those already topless send him fully nude shots, and that those who had posed nude send him live webcam footage of sexual activity. Some girls, even very young ones, did so in order to avoid further embarrassment.

Parents complained to police after several girls revealed what had been happening. "They didn’t want to play his game anymore,” Biloxi police Detective Donnie Dobbs told a local paper recently.

Connecting Facebook accounts and e-mail addresses to an IP address is trivial; connecting those IP addresses to real-world Internet subscribers is no harder. So the Biloxi police had little difficulty tracing Dalton to a house on Melbourne Circle in Montgomery, Alabama.

The only problem: while IP address lookups may be accurate, they never identify people. And the family living in the house on Melbourne Circle certainly hadn't been conducting criminal extortion on Facebook. So what was going on?

At about the same time, police in Livingston Parish, Louisiana received similar reports from local families. This time, one "CJ Harper" was at work, using a similar scheme to obtain sexual photos. At least one 12-year old girl sent Harper a photo, while a 14-year old and 15-year old each performed "lewd and lascivious acts" for Harper though Skype.

One of the contact e-mails for CJ Harper was dalton.powers1@yahoo.com; when police in Louisiana traced the IP addresses behind the account, they also resolved to Montgomery, Alabama. CJ Harper and Dalton Powers appeared to be the same person, but just who was that person? The IP address lookups this time didn't resolve to the house on Melbourne Circle but to another home on Worthing Road.

With reports like this rolling in from across state lines, the FBI took over the case. Special Agent Erik Doell visited the home on Worthing Road, hoping the owners could explain just how their IP address had come to be linked to the case. The home was owned by a couple who told Doell that they had been on a trip to the Dominican Republic at the time of the offenses. A house-sitter had been there instead, they said, a man named Graham Gunn.

Doell tracked down Gunn, who said that others had visited him during his stay on Worthing Road. One visitor was a friend who actually lived in the Melbourne Circle home that had been linked to the Biloxi case—so, case cracked? Not quite. One of Graham Gunn's relatives, Christopher, had also visited the Worthing Road house. The relative brought along a laptop, and had allegedly been quite secretive about his activities. Further discussion with the friend revealed that Christopher Gunn had also visited the home on Melbourne Circle and had used the Internet there from his own computer and from family computers.

And once it became clear that Christopher Gunn had a link with both houses in the case, he became the investigation's target. That's because Gunn had been raided by local police in Montgomery months earlier after suspicion that he had been running a similar extortion on local junior high school girls.

The Bieber Ruse

Back on April 7, 2011, an officer at Prattville Junior High School had notified his bosses about someone called "Tyler Mielke" who had been contacting local girls through Facebook and asking for nude pictures.

Cops drove out to the school and sat down with the girls and a guidance counselor. There the police learned that Tyler had run through the "new kid in town" scam with the same "what's your bra size?" questionnaire.

Tyler had gone to extra lengths to make his threats against the girls seem real, allegedly going so far as to call the girls using a spoofed phone number that appeared to be from the junior high school. On April 12, police in Montgomery called Facebook's Law Enforcement Hotline and obtained the IP addresses used to access Tyler's Facebook account. All were from Charter Communications, which informed police the addresses resolved to an apartment on Creek Drive in Montgomery.

On April 14, police executed a state search warrant on the apartment and found Christopher Gunn and his four computers, an external hard drive, and three flash drives. Scrubbing through the data on the computers, police claimed that Gunn had spent January to April searching Facebook for local female juveniles—and that he had contacted more than 250 of them in the Montgomery area alone under the Tyler Mielke name.

Remarkably, despite the search, Gunn allegedly continued his extortion, sort-of disguising his IP address by logging in from friends' homes and targeting girls who lived further away. (The FBI believes he engaged girls in Florida, North Carolina, Virginia, Pennsylvania, Michigan, and California.) In the end, investigators said that Gunn had used seven Facebook IDs. They also claimed that he switched tactics, eventually ditching his "new kid in town" routine to pretend that he was pop star Justin Bieber trying to meet young fans.

Not in my house

With the cases connected, Doell prepared to bring Gunn in. Doell obtained a federal search warrant and tracked the location of Gunn's phone. For one month, the phone spent most of its time in the apartment on Creek Drive. On March 20, 2012, the feds paid the place a visit.

Gunn and his mother were there, along with an Acer laptop and the cell phone that Doell had been tracking. A state computer investigator looked through the phone that same day and said he found "several images of young females posing topless in the mirror, as well as a photograph of a blonde female posing totally nude in the mirror." The FBI took the computer; its examiner also said he found similar images on the machine and in its Recycle Bin. He also turned up a much "harder" video of a prepubescent girl being penetrated by an adult male.

Gunn was arrested and charged with possessing child pornography. On April 13, his lawyer notified the judge that Gunn was prepared to change his plea from "not guilty" to "guilty." Two weeks later, the Grand Jury investigating the case returned with three counts of extortion and two counts of producing child pornography. The Grand Jury eventually found that Gunn's "New Kid Ruse" went all the way back to 2009, while the "Justin Bieber Ruse" ran only from November 2011 until just before his arrest. With far more charges and the possibility of a much tougher sentence, Gunn pled "not guilty." The case remains ongoing.

Similar crazy Internet "sextortion" stories have made repeated headlines over the last six months, but men like wheelchair-bound Luis Mijangos in California and accused Indiana sextortionist Richard Finkbiner have generally been charged with working from home IP addresses. When they don't, innocent Internet subscribers run the risk of being sucked up into the investigation.

At least in this case, the government appeared to avoid the "kick down the door first and ask questions later" approach it has sometimes taken in past child porn investigations. An Associated Press article described one such raid last year, based on an IP address that turned out to lead to an innocent man:

Lying on his family-room floor with assault weapons trained on him, shouts of "pedophile!" and "pornographer!" stinging like his fresh cuts and bruises, the Buffalo homeowner didn't need long to figure out the reason for the early-morning wake-up call from a swarm of federal agents. "We know who you are! You downloaded thousands of images at 11:30 last night," the man's lawyer, Barry Covert, recounted the agents saying. They referred to a screen name, "Doldrum." "No, I didn't," the man insisted. "Somebody else could have but I didn't do anything like that." "You're a creep ... just admit it," they said. Law-enforcement officials say the case is a cautionary tale. Their advice: Password-protect your wireless router.

Well—yes, it is a cautionary tale, but it's also a caution to police. Is banging on a door at 6am and then taking down a homeowner like he's some kind of Rambo-in-waiting really a great idea when he has no history of violence and your only real evidence is an IP address? Fortunately, Doell appears to have simply met and spoken with Graham Gunn and his friend in this case, rather than raiding two homes whose owners had nothing to do with the crimes in question.

But it should make homeowners think, and not just about running an open access point. In both homes in the Gunn case, the WiFi network may well have been locked down, but one has to exercise a bit of caution about providing access to others. When guests want your password, do you offer it reflexively? It feels inhospitable not to, and yet—whatever they do online could bring law enforcement or a private lawsuit to your door.

At least the police, after the unpleasantness with the handcuffs and the searching has ended, can be convinced you did nothing wrong. Law firms filing thousands of "John Doe" copyright lawsuits in an attempt to wring settlements out of people without a trial may see all such claims as mere excuses.

So the next time a guest asks for your network password, let them know about your personal "Acceptable Use Policy"—no child porn, no copyright infringement, no hacking, no spamming, and no crazy sextortion schemes. That guest bedroom has seen enough weird behavior as it is.