Joe Wheatley on Privacy, Policy, and the Digital Future
Joe Wheatley, a leading figure in law, tech, and national security, spoke with Stephanie Hwang in the first episode of Cyber Law Dialogs. They discussed the global nature of cybercrime, the role of AI and data-driven tools in combating bad actors, and the importance of public-private partnerships in enforcing cyber regulations across different jurisdictions.
Steph: Welcome to the very first episode of the Cyber Law Dialogues. This series is dedicated to creating open, inclusive conversations around cyber law and policy. I'm your host, Stephanie Hwang, and in this space, we aim to break down conversations around cyber law and policy to empower the next generation of cyber leaders by inviting the brightest minds to share their insights. Today, we'll be exploring questions like: What is cybersecurity? What does the future of this evolving field hold? How can we ensure a more transparent, collaborative, and forward-thinking digital landscape?
I'm excited to kick off the series with someone who has been an incredible mentor and guide to me in tech policy, Joe Wheatley. Joe is a leader at the intersection of law, tech, and national security. After graduating from Princeton University with a degree in Public and International Affairs, he earned his JD at Penn Law. Joe has had an illustrious career at the Department of Justice, tackling complex transnational crime and cyber issues, including dismantling organized crime networks as the deputy director of Task Force Vulcan. In 2021, Joe took on a new challenge at Amazon, joining their Counterfeit Crimes Unit, where he leads efforts to hold bad actors accountable in the digital marketplace—a space that's becoming a critical front in the fight against cybercrime.
Joe, you've been a mentor to me since my early interest in tech policy and law, from working on my senior thesis to guiding me through career pathways post-graduation. I couldn’t be more excited to have you here as our first guest. Thank you for being here.
Joe: Thank you so much for having me. I’m really honored to be here.
Steph: You've had an incredible career trajectory in cyberspace and law, from your early days as a trial attorney at the DOJ, combating transnational crime, to now leading Amazon's fight against counterfeiters. Can you walk us through your journey and what inspired you to specialize in these areas?
Joe: Sure. From a young age, I was fascinated with technology—computers, email, the web, gadgets—so I knew I wanted to dive into that for work. After college, I took a year off to work as a paralegal in the DOJ’s Antitrust Division. I enjoyed it, but knew it wasn’t the right fit for me. I wanted to be a lawyer, and by the end of that time, I was pretty convinced I wanted to be a prosecutor. During law school at Penn, I focused on criminal law, supporting a professor’s research, doing internships with the DOJ, and writing about these issues for law journals.
When I got to the DOJ, I was assigned to the Organized Crime and Racketeering Section. It’s a broad name, but essentially, we dealt with criminal groups committing various crimes, many involving cyber issues. These large organizations rely on complex systems—botnets, phishing, hacking—to commit crimes. I worked closely with the Computer Crime and Intellectual Property Section on many cases. Over time, I knew I wanted to dive deeper into tech and cyber law, and eventually, I found my way back into it.
Steph: It’s fascinating to see how areas like IP, criminal law, and technology intersect. The Amazon Counterfeit Crimes Unit (CCU) is an extremely cutting-edge initiative. In a world where online marketplaces are increasingly vulnerable to counterfeit products and cybercrime, can you explain the mission of the CCU and how it operates?
Joe: Absolutely. The team was created in June 2020 to address a gap at Amazon. We had world-class controls to prevent bad actors from entering the store and listing products, but we didn’t have a team focused on external enforcement—holding these actors accountable. We do this through two channels: civil suits, often with brands, and criminal referrals to law enforcement, which they investigate and prosecute.
Steph: It sounds like a complex and evolving challenge, especially given the global scale. You’ve mentioned using tools like machine learning and big data. How do these technologies come into play in your operations, and how much of the process is automated versus relying on human oversight?
Joe: A lot of the lead generation is automated through signals like customer complaints or brand notifications—critical mass indicators that something’s wrong. Tools like Brand Registry help brands report infringements. But when it comes to external enforcement, that’s where the human element kicks in. For example, building a referral for law enforcement is done by people—me, our investigators, analysts—working with brands to explain how we identified the bad actors. So while we use vast data, human oversight is crucial for enforcement.
Steph: You’ve worked in the trial and conviction space at the DOJ. Is this also part of the process at Amazon, or do external actors handle that?
Joe: We support law enforcement, providing data and testimony when needed. If law enforcement has an investigation, we contribute by providing evidence and working with brands to support the case. We stay involved through the entire process, from investigation to conviction.
Steph: Fascinating. You mentioned technological tools like signals and filters. Do you see these methods becoming a model for other companies or even law enforcement agencies fighting cybercrime?
Joe: I do, and I think everyone is starting to rethink how they can look at data, aggregate it, break it down, and pull out lessons, conclusions, and suggestions. In law enforcement, when I left in 2021, we were experimenting with those kinds of things. All the agencies were, but now it’s like rocket fuel has been added with AI models and machine learning, which is a subset of AI. Whenever we bring a new case to law enforcement, we try to help them break it down. That’s part of our value as a team—there’s all this data, and it's not enough to just put it on the table and say, “This is what this says.” You still have to explain it in a way that people can understand.
When I was a prosecutor, and now still, if I want to be persuasive, I almost have to explain it to myself first: “If I had no background in this, how would I explain it to someone so they’d believe me and want to proceed?” That’s a key part. There’s also the conversation between people who see the technical side day to day and government agencies that might not be involved on the ground as often. That’s definitely crucial.
Steph: Let's get into the mind of a bad actor, as you call them. When people think of cybercrime, they might picture nameless, faceless hackers acting for financial gain. That was my first impression before I started researching. But it’s a lot more complex. There are nation-state hackers, ransomware gangs, cybercrime units, and more. You've worked on major national security cases in the past, and now you're addressing cybercrime in a commercial context. What constitutes 'bad actors'? Has your understanding changed from your time at the DOJ to now at Amazon?
Joe: My view hasn’t changed much. Racketeering can wear any face—it’s essentially a menu of crime. The more sophisticated the organization, the more elaborate the menu. They might choose fraud, money laundering, smuggling, bribery, extortion—you can fit them all under those umbrellas.
With counterfeiting, as reflected in our civil suits with brands, they can commit crimes at arm’s length without being in one place. They operate through chat rooms, encrypted messaging, and can outsource a lot of the day-to-day operations. You might have a network in 10 countries, and some members may never meet. Even if they know each other, it’s through a small community where they vouch for one another. It can be quite faceless—the digital world doesn’t require the criminal to be nearby. They could be halfway across the world, and that’s why we work with law enforcement globally. We get great support from agencies in China, the EU, the UK, the US, and we’re constantly expanding to other jurisdictions in Africa, the Middle East, and India. Ultimately, you have to find the person—figure out where they are and how to get them. You can disrupt the infrastructure, but you still need to reach the people behind it.
Steph: Speaking of the digital versus real world, can you share an example of a telltale sign that indicates you're dealing with a more sophisticated group rather than an isolated event?
Joe: Sophisticated groups, as seen in our civil suits, will often falsify documents to commit wire fraud on Amazon. They try to make us think their products are authentic when they’re not. Some documents look just like legitimate receipts or letters of authorization from a brand—that's a higher level of sophistication.
You also have bad actors using encrypted communications or VPNs to mask their locations, which we note in our suits. Sometimes, they’re not in the same place as other parts of the distribution chain. It could involve multiple countries. Another example is when bad actors rent or buy accounts. Someone creates a selling account, but then it’s handed over to someone else, and the original person gets paid to let them use it. The account documentation might be legitimate—real driver’s license, real person on camera—but that person hasn’t run the account in months. That signals a higher level of sophistication.
Steph: How do you identify when it’s not the original person running the account?
Joe: We and other e-commerce platforms use the INFORM Act, which requires identity verification for sellers. If you re-engage for additional verification, the original person might appear on camera, or they might not. Even if they do, they often have little knowledge of what’s been going on with the account. If they’d been using it, they’d have no problem explaining what they’ve been selling. Instead, they come back cold and ignorant—that’s a telltale sign.
Steph: Taking a step back, how do global counterfeiting networks you fight at Amazon compare to traditional organized crime groups you tackled at the DOJ? Are there parallels in their structure and operations, or are they fundamentally different?
Joe: At the DOJ, I worked on cyber and intellectual property crimes, but I spent a lot of time on violent crime—murders, robberies, shootings, assaults. It was a learning curve to shift to counterfeiting. I’d encountered counterfeiting before but at a high level, not as a specialty. So, it took time to learn the language and statutes.
In terms of sophistication, these global counterfeiting networks are incredibly sophisticated. Counterfeiting on a global scale is a $100 billion industry—hundreds of billions. Very few things generate that kind of money. The people who pull it off are highly organized. You need big manufacturing, big distribution, and people who create false documents and set up accounts to route goods worldwide. That’s no small thing.
In some ways, the violent criminal groups I encountered didn’t have this level of sophistication. They were smart, but this is on another level.
Steph: Counterfeiting, as you said, is a billion-dollar business with many complexities, one being the way cybercriminals operate in different jurisdictions to evade detection. With Amazon's global presence, there must be a lot of complexities in navigating regulations across different regions.
For example, in Europe, you have frameworks like GDPR, which place stringent requirements on data privacy, while in the US, regulations are more fragmented, with no single overarching privacy law at the federal level. In academic circles, there’s an ongoing conversation about how this patchwork of regulations creates opportunities for cybercriminals to exploit gaps. What are the biggest challenges you face in holding bad actors accountable in this legal landscape, and how do you adapt?
Joe: That’s a great question, and it's a regular topic of conversation. With respect to privacy laws and national laws in different jurisdictions where Amazon and bad actors operate, we rely heavily on our in-country legal teams and outside counsel. There’s nothing we do without consulting them—whether it’s privacy law, corporate law, or any other area. There are differences between the EU, the UK, Asia, and North America, so we tailor how we support law enforcement in each place. That includes what we put into referrals, what we can share, and what we can’t. It’s a challenge, but one we embrace because we want to get those referrals to the law enforcement agencies best suited to go after the bad actors. It’s complicated, but it's a necessary complication we address to make it work.
Steph: Absolutely. And it’s also a race against time, dealing with these sophisticated networks of cybercriminals who often have the advantage of being ahead of law enforcement.
Joe: Exactly. What we try to do when working with law enforcement in a specific country is establish a standard operating procedure with our in-country legal team and outside counsel. That way, we don’t have to revisit every detail each time, because we already know the guardrails—what's okay to share under their national law and what support is appropriate. Then, we operate within that framework.
Steph: Looking ahead, do you see the future of regulatory consistency in cyberspace moving toward a unified global approach to cybercrime regulation, or will jurisdictional gaps continue to pose challenges?
Joe: I don’t see the differences between countries being harmonized anytime soon. If it were going to happen, it would have already. It doesn’t seem to be converging on a single point, and I’m not holding my breath. Every country has its own calculated risk assessment on what matters to them, so I don’t see enough alignment to make that happen.
Steph: How do you think legal frameworks need to evolve? Feel free to speak to the role of public-private partnerships.
Joe: A major focus for our Counterfeit Crimes Unit and Amazon’s larger anti-counterfeiting efforts is protecting customers, brands, and the public through self-enforcement and self-policing. We want to keep bad actors out of the store, and if they do get in, we shut them down before their listings go live. Amazon shuts down many listings based on indicators of counterfeiting activity. If bad actors make it in, we shut them down, and if they sell something, we go after them through external enforcement.
The scale of global commerce is too large for any one law enforcement agency, company, or country to handle alone. That’s why we need a larger effort to stop bad actors. One example is the Anti-Counterfeiting Exchange (ACX), which Amazon helped start. It’s an exchange where e-commerce stores share data on bad actors to hold them accountable. It’s too global a problem for any one entity to handle, so it’s a group effort. That’s one of the trends I see continuing in the future.
Steph: As we wrap up, given your experience tackling issues from MS-13 to global counterfeiting, what keeps you motivated to work at the intersection of law, tech, and crime? How do you see your role evolving over the next five years?
Joe: I see it as deepening relationships with law enforcement to get data and analysis to them sooner so it can be more actionable. I also see more efficiency in spotting criminal activity through AI, which can help identify patterns in bad actors’ networks. This applies to law enforcement too—not just companies. Governments have large amounts of data that could point toward bad actors, so it’s about getting better at managing that data and extracting meaningful insights. The data is always growing, so the challenge is not being overwhelmed by it but learning how to use it effectively.
Steph: With your experience in both government and corporate sectors, what’s a key lesson you’ve learned that applies to navigating the future of cyber law, especially for students or young professionals?
Joe: Don’t be afraid to fail. If you’re afraid to fail, you’ll avoid certain experiences or goals where you could really make an impact. Don’t be afraid to approach people and ask questions. A lot of people have learned great lessons the hard way, and that knowledge often sits untapped. Also, if you're in law school, sign up for things—try new things. For example, law journals often struggle to get enough content, even though people assume they’re fully stocked. Opportunities often go unclaimed because people think someone else has already taken them. Be one of the people who throws their hat in the ring. Getting rejected doesn’t mean there’s something wrong with you, so go for it and be willing to fail.
Steph: That’s great advice, thank you for sharing. My final question is, what sources should students and aspiring lawyers follow to stay updated on cybersecurity news? One helpful platform for me has been Inside Cybersecurity. I find their articles very interesting and informative. Any other sources you’d recommend?
Joe: I’m a big believer in news feeds on social media. It’s constantly washing over you, and through platforms like LinkedIn or Twitter, you can see updates on what people are reading, doing, and finding important. That’s a big source for me.
Steph: Thank you so much for sharing your incredible insights. It’s been fascinating to hear about your journey and the way you're shaping the future of cybercrime enforcement. As someone who hopes to follow a similar path, I’m really inspired by your work, and it’s been an honor to have you as our first guest in the Cyber Law Dialogues series.
Joe: Thank you so much for having me. It’s been a real pleasure.