A story recently surfaced saying malware could plant child porn on innocent people's computers without their knowledge. Just how real is this threat? And how can you keep it from happening to you?
Being accused of possessing child pornography can ruin people's reputations, confront them with overwhelming legal bills and, if convicted, and deprive them of their freedom for years if sentenced to prison time, and perhaps for life, if they're required to register as sex offenders.
That is why, at least in part, a recent case outlined by the Associated Press raised concerns over computer viruses being used to plant child pornography on people's computers. But the innocent have little to fear, according to experts.
The AP story reported about the case of Michael Fiola, a former Massachusetts state employee whose state-owned work computer was found to contain illegal child pornography images. He was fired and charged with possession of child pornography which, had he been convicted, could have landed him in prison for up to five years, according to the AP.
Sexually explicit images of children--who are often being exploited--are not protected by the First Amendment because they may memorialize, celebrate, or encourage sexual crimes against children deemed defenseless victims. Although Fiola avoided a child porn conviction, he reportedly has suffered related indignities, including death threats and friend abandonment. The AP said he and his wife liquidated their savings and spent $250,000 on legal fees.
Ultimately, charges were dropped after Fiola's defense showed that his computer was infected by a virus that was "programmed to visit as many as 40 child porn sites per minute," something that a human couldn't do, even if he or she tried. Other reports about this case indicate that the antivirus software on Fiola's computer was out of date and therefore was not protecting him against malware.
Could it happen to you?
How likely is a case like Fiola's? If viruses are capable of putting illegal content on people's computers, aren't we all at risk of being arrested for serious crimes we never meant to commit? And if it is possible for this to happen, isn't "the virus did it" claim likely to become the mantra of every defense attorney who represents people accused of possessing child pornography?
To help answer these questions, I spoke with security experts, legal scholars, former prosecutors, and Justice Department officials. The consensus? It is indeed possible for malicious software to plant child pornography--or any other type of file, for that matter--on an innocent person's computer, but being possible doesn't mean it's likely. And forensics experts can detect intention.
"It's quite possible for a malware creator to include child pornography as part of the payload on an infected computer," according to Symantec spokeswoman Marian Merritt, but "such payloads are not typical."
Most malware authors, Merritt said, "are motivated by money, and there's no clear indication as to how planting child porn on an unsuspecting person's computer would help generate money for criminals."
One possible motive for remotely using someone else's computer to store child porn is to make it possible to access the contraband without running the risk of it showing up if your PC is seized or searched. Merritt worries that "this could become a possible use for malware, going forward," but Michael Geraghty, executive director of the National Center for Missing & Exploited Children Technology Services Division, said that, while possible, it's not an effective way to store child porn and remain undetected.
"If you put the images on someone else's computer, you might not be able to retrieve them when you want them," Geraghty said. He pointed out that the zombie machine storing the data would have to be turned on and connected for the malware sender to access it. If it weren't online, or the files had been deleted, the files wouldn't be there to retrieve.
Another deterrent, of course, is a potential digital trail between your computer and the one you're using to store it. Although there are ways to evade detection, forensic investigators do have ways to trace Internet Protocol addresses to catch people in the act of uploading and downloading material.
"I've never seen it where child porn was intentionally placed on someone's computer because of a virus," Geraghty said. He has, however, seen cases where "someone was redirected to a site where it could have entered the cache." If someone were to go to a legal adult porn site, it's possible that the browser would "open 100 different windows," including some that could contain child porn. "As a result of that, any images on any of these sites would be cached, and there would be a record that you had been there."
But Geraghty said investigators can tell the difference between someone who deliberately downloaded such images and someone who may have inadvertently downloaded perhaps thousands of images because of a virus or misdirected Web site.
Totality of evidence
"A good forensics expert would try to determine how (the images) got on the computer and who was responsible for putting them there," he said. "That would be determined by looking at the totality of the evidence, not just the fact that there were images there."
Things a good investigator would look into include whether the suspect was sitting at the computer at the time the images were downloaded. Was he using the computer to send e-mail or visit other Web sites at the time? "There is always some type of trail we can follow to determine if the person were likely actively involved in the process of downloading the material," Geraghty said.
Another indicator is the time lapse between image downloads. A virus or Trojan horse is likely to download multiple images at a time, sometimes faster than might be humanly possible to do manually. A person who collects child pornography typically acquires it over a period of time, and a forensic investigation of the computer should reveal that.
Phil Malone, a clinical professor at Harvard Law School and director of its Berkman Center Cyberlaw Clinic, agrees that a good forensic investigator should be able to tell the difference between files placed by a virus and ones deliberately downloaded.
"It's the excuse of the moment for defendants," he said. "Lots of child porn defendants try to blame (images found on their computers) on viruses, but it's almost never true. You can actually figure this out. In the handful of cases that have been problematic, it looks as if everyone moved too quickly. The agency discovered material and immediately jumped to conclusions." Malone added that "good, solid forensics would be able to tell in virtually every case."
Malone agreed with Geraghty, of the National Center for Missing & Exploited Children, that it's fairly common for someone, when viewing adult pornography on a Web site, to inadvertently receive pop-ups that may include images of child porn.
"It's possible to tell if something was opened or saved to a file from the cache," Malone said. Investigators can usually figure out if an image was downloaded intentionally, based on other activity that took place on the computer at the time, he said, adding that it's incumbent on both prosecutors and defense attorneys to launch a thorough investigation that includes analyzing a copy of the hard drive to determine not just which images are stored within, but also how they got there.
Geraghty said it's important to look at other factors. "The computer holds a lot of information about the searches that someone runs. If there were none of those searches and nothing else but some images in the cache, you would question how they got there. You would look for collaborating evidence such as intent to visit the site (and capability) of visiting the site. Did he have knowledge?"
A good investigation will look for exculpatory evidence to see if there are other explanations for the images. That investigation, Geraghty said, should start with making one or more exact copies of the suspect's hard drive and examining those copies to look for evidence of malicious software that could be responsible for the images. Defense attorneys can also gain access to a copy of the drive, but because it may contain illegal child porn images, their experts will probably have to examine the drive at the police station or prosecutor's office; possession of those images--regardless of the reason--is illegal for anyone other than personnel granted immunity.
Burden of proof
"In each case, the prosecution will need to prove (that) the defendant knowingly and intentionally possessed, received, or distributed child pornography," according to Drew Oosterbaan, chief of the Child Exploitation and Obscenity section of the Justice Department. "The proof starts with establishing that the images involved are child pornography and ends with establishing that the person charged is criminally responsible for it. We prove the latter in myriad ways."
Oosterbaan said that when someone is charged with possessing child pornography on his computer, "the computer is, in many ways, a crime scene, and the forensic examination of that computer is critical to meeting the elements of proof in the prosecution." He added that "it's important to remember that in every case, the government carries the burden of proof."
Oosterbaan said he is not aware of any cases in which botnets were used to plant child porn on other people's computers.
A former federal prosecutor now working for a technology company, who requested anonymity, said this may become a bigger issue as we enter the era of cloud computing, in which more and more data is stored on Internet servers instead of hard drives.
"There is no question that perpetrators are going to look for places to hide their criminal activity, including child porn, because they're increasingly aware that if law enforcement comes to their house, they will see the material," the former prosecutor said, adding that companies in the cloud storage business need to be aware that their systems could be used for illegal purposes. "They should reach out to the National Center for Missing & Exploited Children to implement a system to compare uploaded files against hash marks (digital fingerprints) of known child porn images."
As with any other security issue, the best defense is to protect your machine against intrusions. This includes:
- Making sure that your operating system and regularly used software are up-to-date.
- Using good software addressing malware, phishing attacks, and/or spam, and keeping it up to date. Subscriptions to paid programs should be renewed.
- Being cautious about spam and about providing information to sites you navigate to from links within even the most legitimate-appearing e-mails.
Disclosure: I serve without compensation as a board member at the National Center for Missing & Exploited Children, which deals with child porn cases. Still, I don't necessarily agree with all NCMEC policies, nor do I speak on behalf of the organization.
China has indefinitely delayed enforcement of a requirement that PC makers preinstall Green Dam-Youth Escort software that experts believe would have screened not just Internet pornography but also some online political content.
Green Dam allows users to specify categories of sites to block.
(Credit: University of Michigan)The reprieve, announced by China's Ministry of Industry and Information Technology, according to reports in The New York Times and the Associated Press, came just one day before the preinstallation rule was to go into effect.
But thus far the reprieve appears temporary: the ministry said the delay will give computer makers more time to comply with the rule, and the government also will continue to equip school and cybercafe computers with the software, according to the New York Times report.
Experts have warned that the Green Dam software poses security risks, and last week, the U.S. Trade Representative protested that Green Dam violates World Trade Organization rules
PC makers had been cagey about their plans to comply with the rule to install the software. Technical and other objections must be weighed against business concerns, and China is a large and growing market. Companies that deal directly with Internet content have been in the hot seat for years, and Google has had to wrestle with new Chinese censorship requirements this month.
Screenshot from one of the menus in the forensic-software system for analyzing images for pornography.
(Credit: Paraben)
Pornography in the workplace can pose a serious problem for employers because a significant amount of material is downloaded by employees during business hours.
The viewing of porn at work can result in lost time, creativity, productivity, and employer profitability. More importantly, it can help create a hostile work environment and can be considered sexual harassment, in violation of Title VII of the Civil Rights Act of 1964. Naturally, corporations want to avoid the potentially serious legal consequences and protect their bottom line.
On Sunday, Orem, Utah-based forensic-software maker Paraben plans to introduce a unique piece of enterprise software developed to detect and analyze images on workplace networks and computers for suspect content. The system looks for a number of sophisticated parameters and grades images at three levels, based upon their correlation with criteria that have been programmed into the system.
The software, according to CEO Amber Schroeder, will also aid in the development of evidence for internal or criminal investigations in such cases. It's expected to cost about $17,000 for 500 computers.
I interviewed Schroeder last week, during the Techno Forensics seminar at the headquarters of the National Institute of Standards and Technology (NIST), near Washington D.C. From personal experience, I can attest to the difficulty in analyzing large hard drives. Searching terabytes of data is incredibly time-consuming and difficult, so this software should provide a welcome tool for administrators and investigators.
Schroeder told me that the program cannot discriminate between child and adult pornography, but it is extremely effective at rapidly identifying suspect images, either online or offline. The system is capable of providing an effective real-time monitor, as images are downloaded to individual workstations, and can definitely aid in shielding employers from extremely costly lawsuits.
Even more importantly, such a program can help protect employees from the kind of invidious and offensive conduct that has been ruled as actionable by the courts, she said.
While the Paraben software has been designed for the corporate environment, it isn't prepared to examine other problem areas: cell phones, PDAs, and any other device that provides access to the Internet.
- prev
- 1
- next
