Wednesday, November 11, 2009

AP says it is conducting study on hackers placing child porn or other illegal content on zombie computers, leading to false prosecutions

AP technology writer Jordan Robertson has a very disturbing AP story, dated Nov. 9, 2009, about claims that some people have been “framed” for possession of child pornography that may have been planted by a computer virus. The link for the story (apparently originating from a Florida paper called TCPalm) is here. It's interesting that yesterday my Windows Vista Dell XPS PC broadcast this MSNBC headline on my desktop as I booted up, as part of the Dell "news gadget" available from Vista (underneath the Vista "Clock"); curiously I could not find the story on MSNBC but I did track down the AP original.

The circumstances discussed in the story vary widely. In several cases people have been accused after others found the illegal material on their workplace computers. In Massachusetts, a man spent $250000 defending himself before prosecutors finally agreed that the images came from an infection planted by someone else. However, in many workplaces employers warn associates that they are absolutely responsible for the security of their own workstations, even when they are not at work (which usually means changing passwords frequently and not leaving the work station signed on.)

In a case reporter here (in Feb. 2007), a teenager was arrested at home in Arizona in December 2006 when police claimed he had downloaded illegal material from Yahoo!. Subsequent Internet stories on the truth of the matter are very mixed, to say the least.

The article claims that the Associated Press is conducting an “investigation” and knows of other cases where people have been bankrupted proving their innocence. Prosecutors tend to turn a deaf ear on the idea that this can happen, until the evidence that it really can becomes overwhelming enough. At any time, about 20 million of one billion computers connected to the Internet (about 2%) have infections that could give hackers control of their computers. And some individuals might hack so that they could watch c.p. on a “zombie” computer, unbeknownst to the unsuspecting computer owner.

A story at ABC affiliate KOAT-TV in Albuquerque NM refers to this story here and quotes an FBI sources as claiming that nearly always the original criminal (hacker) can be detected with proper forensics; The FBI believes that such wrongful prosecutions, while possible, are rare. Will WJLA in DC pick up on the story?

It would sound as if there could be a separate issue for a workplace vs. a home computer. As I noted, an employer might hold an associate responsible for the security of the workplace computer. At home, there used to be an idea of “strict liability”; the home user was presumed responsible for any community risk from his asymmetric computer use (that would presume that a parent was responsible for his or her minor children’s behavior on the computers, as well as any guests; the Phoenix parent, in the case mentioned above, was quoted as saying “computers just aren’t safe”.) But in recent years, practically all journalistic sources maintain that infection placed by a hacker is an affirmative defense – but there might be a “guilty until proven innocent” problem, causing enormous expense to the defendant.

When a computer user connects to the Internet, who should be legally responsible for knowing that the computer is properly protected from security threats which can spread to the community? The individual user? The anti-virus software company? The provider of the operating system (Microsoft, Apple, or Linux)? If a computer stops working and the owner takes it to a repair shop and the shop finds both an infection and undetected c.p., what are the legal consequences? When should there be “downstream liability”? There is no such thing as perfect protection, and this sounds like the kind of debate we have in public health areas. Should we have an “Internet driver’s license?”

In a few cases, police have barged in at home when the person was online, as when detected by the National Center for Missing and Exploited Children [link; this could presumably happen with someone who did not know his computer is infected.

Picture: US Courthouse in Philadelphia, site of the 2006 COPA trial.

Update: June 13, 2012

CNET has a story "A child-porn planting virus: Threat or bad defense?" by Larry Magid, Nov. 10, 2009, link here. The practical risk is low, the article says; one way if could happen is when visiting an adult porn site and getting illegal content cached.  The legal standard, in 2009, seemed to be that prosecutors have to prove that the person intentionally downloaded, received, or distributed the illegal material, and that should not be as difficult as it sounds.  CBS had an AP story in Nov. 2009 that also included a story of a man convicted in Wyoming; c.p. was found in a file-sharing folder intended to be used for adult porn.   This could become an issue for cloud computing, the article says.

The legal case of Ned Solon, from Wyoming, is important; the Supreme Court recently turned down an   appeal, story here (story by Tom Morton in Wyoming Tribune). There is a more disturbing account on a site called "Framed for child porn", here. It appears that use of P2P (like LimeWire) might increase the risk on an incident like this. The site criticizes a mentality of absolute liability, "If it's on your computer, then you must be guilty", but that seems not to hold now in general.  (If you can't find it yourself, do you "possess" it in the eyes of the law?  It sounds like "possession" of a football outside the end zone.) 

No comments: