Politics and Law

Amid an economic crisis, Congress found some time this week to address online threats to children.

The Protect Our Children Act, introduced by Sen. Joe Biden, D-Del., made it through the Senate on Thursday. Separate bills authored by Sens. John McCain and Hillary Clinton were folded into the legislation, which authorizes more than $320 million for the Justice Department over the next five years for, among other things, the Internet Crimes Against Children Task Force. The bill would affect how Internet companies report online child pornography to authorities, and it approves funds for law enforcement to focus on online child exploitation.

The House of Representatives on Tuesday passed the Ryan Haight Online Pharmacy Consumer Protection Act, a bill that would would ban the sale or distribution of prescription drugs over the Internet without a valid prescription. Matching legislation passed in the Senate in April, but the House sent its version back to the Senate with amendments on Thursday.

Under the proposed law, online pharmacies would have to comply with pharmacy licensing laws in each state in which they do business and register with the relevant state attorneys general. Some congressmen questioned the impact of the bill, given that so many online pharmacies that distribute drugs without prescriptions are based outside the U.S.

The bill is named after Ryan Haight, an 18-year-old who died from an accidental overdose of Vicodin, Valium, and a trace of morphine, which he acquired with prescriptions over the Internet.

Columbia University's National Center on Addiction and Substance Abuse investigated online pharmacies selling prescription-free drugs this year and found 40 percent of the sites found indicated that the drugs would be shipped from outside the U.S., according to Susan Foster, CASA's vice president and director of policy research and analysis. Another 36 percent did not indicate a location.

Christine Jones, general counsel for Internet domain registrar Go Daddy, said the bill would still be effective.

"It doesn't matter where the Web site operator is," Jones said. "If I can't find their name on the list of approved sellers, that makes that Web site illegal."

Screen snapshot: This now-defunct site is reportedly where an FBI undercover agent posted hyperlinks purporting to be illegal videos. Clicking the links brought a raid from the Feds.

The FBI has recently adopted a novel investigative technique: posting hyperlinks that purport to be illegal videos of minors having sex, and then raiding the homes of anyone willing to click on them.

Undercover FBI agents used this hyperlink-enticement technique, which directed Internet users to a clandestine government server, to stage armed raids of homes in Pennsylvania, New York, and Nevada last year. The supposed video files actually were gibberish and contained no illegal images.

A CNET News.com review of legal documents shows that courts have approved of this technique, even though it raises questions about entrapment, the problems of identifying who's using an open wireless connection--and whether anyone who clicks on a FBI link that contains no child pornography should be automatically subject to a dawn raid by federal police.

Roderick Vosburgh, a doctoral student at Temple University who also taught history at La Salle University, was raided at home in February 2007 after he allegedly clicked on the FBI's hyperlink. Federal agents knocked on the door around 7 a.m., falsely claiming they wanted to talk to Vosburgh about his car. Once he opened the door, they threw him to the ground outside his house and handcuffed him.

AUDIO

News.com daily podcast
Reporter Declan McCullagh talks about the FBI's
hyperlinking tactic for getting child porn suspects.

Download mp3 (6.36MB)

Vosburgh was charged with violating federal law, which criminalizes "attempts" to download child pornography with up to 10 years in prison. Last November, a jury found Vosburgh guilty on that count, and a sentencing hearing is scheduled for April 22, at which point Vosburgh could face three to four years in prison.

The implications of the FBI's hyperlink-enticement technique are sweeping. Using the same logic and legal arguments, federal agents could send unsolicited e-mail messages to millions of Americans advertising illegal narcotics or child pornography--and raid people who click on the links embedded in the spam messages. The bureau could register the "unlawfulimages.com" domain name and prosecute intentional visitors. And so on.

"The evidence was insufficient for a reasonable jury to find that Mr. Vosburgh specifically intended to download child pornography, a necessary element of any 'attempt' offense," Vosburgh's attorney, Anna Durbin of Ardmore, Penn., wrote in a court filing that is attempting to overturn the jury verdict before her client is sentenced.

In a telephone conversation on Wednesday, Durbin added: "I thought it was scary that they could do this. This whole idea that the FBI can put a honeypot out there to attract people is kind of sad. It seems to me that they've brought a lot of cases without having to stoop to this."

Durbin did not want to be interviewed more extensively about the case because it is still pending; she's waiting for U.S. District Judge Timothy Savage to rule on her motion. Unless he agrees with her and overturns the jury verdict, Vosburgh--who has no prior criminal record--will be required to register as a sex offender for 15 years and will be effectively barred from continuing his work as a college instructor after his prison sentence ends.

How the hyperlink sting operation worked
The government's hyperlink sting operation worked like this: FBI Special Agent Wade Luders disseminated links to the supposedly illicit porn on an online discussion forum called Ranchi, which Luders believed was frequented by people who traded underage images. One server allegedly associated with the Ranchi forum was rangate.da.ru, which is now offline with a message attributing the closure to "non-ethical" activity.

In October 2006, Luders posted a number of links purporting to point to videos of child pornography, and then followed up with a second, supposedly correct link 40 minutes later. All the links pointed to, according to a bureau affidavit, a "covert FBI computer in San Jose, California, and the file located therein was encrypted and non-pornographic."

Excerpt from an FBI affidavit filed in the Nevada case showing how the hyperlink-sting was conducted.

Some of the links, including the supposedly correct one, included the hostname uploader.sytes.net. Sytes.net is hosted by no-ip.com, which provides dynamic domain name service to customers for $15 a year.

When anyone visited the upload.sytes.net site, the FBI recorded the Internet Protocol address of the remote computer. There's no evidence the referring site was recorded as well, meaning the FBI couldn't tell if the visitor found the links through Ranchi or another source such as an e-mail message.

With the logs revealing those allegedly incriminating IP addresses in hand, the FBI sent administrative subpoenas to the relevant Internet service provider to learn the identity of the person whose name was on the account--and then obtained search warrants for dawn raids.

Excerpt from FBI affidavit in Nevada case that shows visits to the hyperlink-sting site.

The search warrants authorized FBI agents to seize and remove any "computer-related" equipment, utility bills, telephone bills, any "addressed correspondence" sent through the U.S. mail, video gear, camera equipment, checkbooks, bank statements, and credit card statements.

While it might seem that merely clicking on a link wouldn't be enough to justify a search warrant, courts have ruled otherwise. On March 6, U.S. District Judge Roger Hunt in Nevada agreed with a magistrate judge that the hyperlink-sting operation constituted sufficient probable cause to justify giving the FBI its search warrant.

The defendant in that case, Travis Carter, suggested that any of the neighbors could be using his wireless network. (The public defender's office even sent out an investigator who confirmed that dozens of homes were within Wi-Fi range.)

But the magistrate judge ruled that even the possibilities of spoofing or other users of an open Wi-Fi connection "would not have negated a substantial basis for concluding that there was probable cause to believe that evidence of child pornography would be found on the premises to be searched." Translated, that means the search warrant was valid.

Entrapment: Not a defense
So far, at least, attorneys defending the hyperlink-sting cases do not appear to have raised unlawful entrapment as a defense.

"Claims of entrapment have been made in similar cases, but usually do not get very far," said Stephen Saltzburg, a professor at George Washington University's law school. "The individuals who chose to log into the FBI sites appear to have had no pressure put upon them by the government...It is doubtful that the individuals could claim the government made them do something they weren't predisposed to doing or that the government overreached."

The outcome may be different, Saltzburg said, if the FBI had tried to encourage people to click on the link by including misleading statements suggesting the videos were legal or approved.

In the case of Vosburgh, the college instructor who lived in Media, Penn., his attorney has been left to argue that "no reasonable jury could have found beyond a reasonable doubt that Mr. Vosburgh himself attempted to download child pornography."

Vosburgh faced four charges: clicking on an illegal hyperlink; knowingly destroying a hard drive and a thumb drive by physically damaging them when the FBI agents were outside his home; obstructing an FBI investigation by destroying the devices; and possessing a hard drive with two grainy thumbnail images of naked female minors (the youths weren't having sex, but their genitalia were visible).

The judge threw out the third count and the jury found him not guilty of the second. But Vosburgh was convicted of the first and last counts, which included clicking on the FBI's illicit hyperlink.

In a legal brief filed on March 6, his attorney argued that the two thumbnails were in a hidden "thumbs.db" file automatically created by the Windows operating system. The brief said that there was no evidence that Vosburgh ever viewed the full-size images--which were not found on his hard drive--and the thumbnails could have been created by receiving an e-mail message, copying files, or innocently visiting a Web page.

From the FBI's perspective, clicking on the illicit hyperlink and having a thumbs.db file with illicit images are both serious crimes. Federal prosecutors wrote: "The jury found that defendant knew exactly what he was trying to obtain when he downloaded the hyperlinks on Agent Luder's Ranchi post. At trial, defendant suggested unrealistic, unlikely explanations as to how his computer was linked to the post. The jury saw through the smokes (sic) and mirrors, as should the court."

And, as for the two thumbnail images, prosecutors argued (note that under federal child pornography law, the definition of "sexually explicit conduct" does not require that sex acts take place):

The first image depicted a pre-pubescent girl, fully naked, standing on one leg while the other leg was fully extended leaning on a desk, exposing her genitalia... The other image depicted four pre-pubescent fully naked girls sitting on a couch, with their legs spread apart, exposing their genitalia. Viewing this image, the jury could reasonably conclude that the four girls were posed in unnatural positions and the focal point of this picture was on their genitalia.... And, based on all this evidence, the jury found that the images were of minors engaged in sexually explicit conduct, and certainly did not require a crystal clear resolution that defendant now claims was necessary, yet lacking.

Prosecutors also highlighted the fact that Vosburgh visited the "loli-chan" site, which has in the past featured a teenage Webcam girl holding up provocative signs (but without any nudity).

Civil libertarians warn that anyone who clicks on a hyperlink advertising something illegal--perhaps found while Web browsing or received through e-mail--could face the same fate.

When asked what would stop the FBI from expanding its hyperlink sting operation, Harvey Silverglate, a longtime criminal defense lawyer in Cambridge, Mass. and author of a forthcoming book on the Justice Department, replied: "Because the courts have been so narrow in their definition of 'entrapment,' and so expansive in their definition of 'probable cause,' there is nothing to stop the Feds from acting as you posit."

Government investigators were able to easily break the ZIP file encryption that a Texas man allegedly used to conceal illegal images, a recent court case shows.

The investigation of John Craig Zimmerman began when his employer, the Brownsville Fire Department, received an anonymous voice message in February 2007 alleging that Zimmerman was a pedophile and had child pornography on his department-owned work computer. A city programmer named Albert Castillo searched Zimmerman's computer and found adult pornography (technically a violation of department policy but not a crime) on an external hard drive.

What Castillo also found were some password-protected ZIP files titled "Cindy 5." Castillo apparently used a program called Zipkey 5.5 to brute-force at least some of the password-protected files and find images of a partly naked minor.

Homeland Security's Immigration and Customs Enforcement agents were called in, and volunteered that they had information from a previous investigation showing that Zimmerman previously bought a membership on a child porn Web site. (Left unanswered is why, if that was in fact the case, ICE never did anything about it.)

What happened next: Zimmermann's home was raided with a search warrant, additional images he allegedly took himself were found, he was indicted on counts of receiving and possessing child pornography, and he pleaded no contest except to say that the images had nothing to do with interstate commerce. In an opinion dated December 20, U.S. District Judge Andrew Hanen said there was a "rational basis" to assume that child pornography transmissions related to interstate commerce.

I mention this case not to show that there's something remarkable about decrypting one of the older ZIP archives: the symmetric encryption algorithm used has long been known to be anything but secure. Newer WinZip archives, starting with WinZip 9.0, use more secure 128- and 256-bit key AES encryption.

The reason I'm mentioning this case is to argue that as encryption becomes more widespread--it's part of OS X and Vista, after all--police will encounter it more frequently, and not just in cases involving illegal images. And not all encrypted files will be as easy to brute-force. Which means that the outcome of the Boucher case becomes more important than ever.

The Democratic sponsor of a bill forcing anyone with an open Wi-Fi connection to report illegal images--or pay fines of up to $300,000--says a recent Internet outcry over the legislation misses the point.

Rep. Nick Lampson, D-Texas

(Credit: U.S. House of Representatives)

Rep. Nick Lampson of Texas, who drafted the bill that the House of Representatives approved this week, said through a spokesman on Thursday that he didn't actually mean to target Americans who happen to have Wi-Fi access points at home. The legislation also covers social-networking sites, domain name registrars, Internet service providers, and e-mail service providers such as Hotmail and Gmail.

Lampson's spokesman, Trevor Kincaid, sent me this e-mail about the Securing Adolescents From Exploitation-Online Act, or SAFE Act:

It is NOT the intent of the SAFE Act to target Wi-Fi providers but rather the entities that provide the internet to those conduits.

With that said--child pornography is illegal, grotesque, and has become a global epidemic. The Internet serves as virtual hunting preserve for pedophiles and predators to prey upon innocent children. So, while this bill is not intended to impact the groups you reference, those groups, all of us, have a civic and moral obligation to report these criminal acts that exploit and traumatize children.

He responded to privacy concerns with this:

Since child pornography is illegal it is material that is NOT protected by the first amendment. Therefore, the SAFE Act is not infringing upon a person's civil liberties.

I wrote back:

You say that the "intent" was not to force Americans with open Wi-Fi connections in their homes, but a court will typically not consider congressional intent--it'll look at what the law says. Why does the bill not exempt Wi-Fi and private individuals from its relatively strict requirements?

Will you try to work with the Senate to tweak the language so it doesn't cover WiFi connections and private individuals? Because you said that he did not mean to target WiFi networks, can I take your response to mean that inclusion of such language was a mistake that will be fixed? I mean, it wouldn't seem to be a major change--just the addition of one sentence or so.

Kincaid replied:

I never said Rep. Lampson "didn't mean to target WiFi." Rep. Lampson added teeth to pre-existing law in hopes of cracking down on a $5 billion a year child pornography business.

We are constantly discussing the bill as it moves through the Senate, but I cannot speculate whether or not any changes will be made to the House version. Mr. Lampson's goal is to stop the trafficking of child pornography on the internet without dissolving civil rights; this bill will take big strides to accomplish that goal.

So what exactly does the SAFE Act do? It doesn't mandate ongoing network surveillance. What it does require is that anyone providing Internet access who learns about the transmission or storage of information about illegal image must (a) register their name, mailing address, phone number, and fax number with the National Center for Missing and Exploited Children's "CyberTipline" and (b) "make a report" to the CyberTipline that (c) must include any information about the person or Internet address behind the suspect activity and (d) the illegal images themselves. (Note that some reporting requirements already apply to Internet access providers under current law.)

The definition of which images qualify as illegal is expansive. It includes obvious child pornography, meaning photographs and videos of children being molested. It also includes photographs of fully clothed minors in unlawfully "lascivious" poses, and certain obscene visual depictions including a "drawing, cartoon, sculpture, or painting."

Most reasonable adults, including home Wi-Fi providers or the Web sites affected by this legislation, can figure out what actual child pornography is. But when it comes to photographs of fully clothed minors in "lascivious" poses, and overly risque cartoon anime that might be "obscene" in one area of the country and permissible in another, it becomes trickier--especially when, legally, only a jury can determine whether an image violates local community standards.

The real problem, I think, is that Lampson probably drafted this legislation a little too hastily. It didn't go through the normal committee process and was rushed to the floor without the final text being posted until the day after the vote. That may be why its requirements apply to anyone providing an "electronic communication service" or "remote computing service"--terms that were clear back when the only Internet service providers were AOL or Netcom.

But now that anyone with a Wi-Fi connection (or any school, or library, or coffee shop) can be an ISP, it's not sufficient to borrow definitions written in the 1980s. That's one reason why the usual back-and-forth process of public hearings, disclosure, and debate can actually be helpful on occasion.

[Update as of Thurs. 8:30pm: See this article for a response to criticisms from Rep. Nick Lampson, the bill's author.]

The U.S. House of Representatives on Wednesday overwhelmingly approved a bill saying that anyone offering an open Wi-Fi connection to the public must report illegal images including "obscene" cartoons and drawings--or face fines of up to $300,000.

That broad definition would cover individuals, coffee shops, libraries, hotels, and even some government agencies that provide Wi-Fi. It also sweeps in social-networking sites, domain name registrars, Internet service providers, and e-mail service providers such as Hotmail and Gmail, and it may require that the complete contents of the user's account be retained for subsequent police inspection.

Before the House vote, which was a lopsided 409 to 2, Rep. Nick Lampson (D-Texas) held a press conference on Capitol Hill with John Walsh, the host of America's Most Wanted and Ernie Allen, head of the National Center for Missing and Exploited Children.

Allen said the legislation--called the Securing Adolescents From Exploitation-Online Act, or SAFE Act--will "ensure better reporting, investigation, and prosecution of those who use the Internet to distribute images of illegal child pornography."

The SAFE Act represents the latest in Congress' efforts--some of which have raised free speech and privacy concerns--to crack down on sex offenders and Internet predators. One bill introduced a year ago was even broader and would have forced Web sites and blogs to report illegal images. Another would require sex offenders to supply e-mail addresses and instant messaging user names.

Wednesday's vote caught Internet companies by surprise: the Democratic leadership rushed the SAFE Act to the floor under a procedure that's supposed to be reserved for noncontroversial legislation. It was introduced October 10, but has never received even one hearing or committee vote. In addition, the legislation approved this week has changed substantially since the earlier version and was not available for public review.

Not one Democrat opposed the SAFE Act. Two Republicans did: Rep. Ron Paul, the libertarian-leaning presidential candidate from Texas, and Rep. Paul Broun from Georgia.

This is what the SAFE Act requires: Anyone providing an "electronic communication service" or "remote computing service" to the public who learns about the transmission or storage of information about certain illegal activities or an illegal image must (a) register their name, mailing address, phone number, and fax number with the National Center for Missing and Exploited Children's "CyberTipline" and (b) "make a report" to the CyberTipline that (c) must include any information about the person or Internet address behind the suspect activity and (d) the illegal images themselves. (By the way, "electronic communications service" and "remote computing service" providers already have some reporting requirements under existing law too.)

The definition of which images qualify as illegal is expansive. It includes obvious child pornography, meaning photographs and videos of children being molested. But it also includes photographs of fully clothed minors in overly "lascivious" poses, and certain obscene visual depictions including a "drawing, cartoon, sculpture, or painting." (Yes, that covers the subset of anime called hentai).

Someone providing a Wi-Fi connection probably won't have to worry about the SAFE Act's additional requirement of retaining all the suspect's personal files if the illegal images are "commingled or interspersed" with other data. But that retention requirement does concern Internet service providers, which would be in a position to comply. So would e-mail service providers, including both Web-based ones and companies that offer POP or IMAP services.

"USISPA has long supported harmonized reporting of child pornography incidents to the (NCMEC). ISPs report over 30,000 incidents a year, and we work closely with NCMEC and law enforcement on the investigation," Kate Dean, head of the U.S. Internet Service Provider Association, said on Wednesday. "We remain concerned, however, that industry would be required to retain images of child pornography after reporting them to NCMEC. It seems like the better approach would be to require the private sector to turn over illicit images and not retain copies."

Failure to comply with the SAFE Act would result in an initial fine of up to $150,000, and fines of up to $300,000 for subsequent offenses. That's the stick. There's a carrot as well: anyone who does comply is immune from civil lawsuits and criminal prosecutions.

There are two more points worth noting. First, the vote on the SAFE Act seems unusually rushed. It's not entirely clear that the House Democratic leadership really meant this legislation to slap new restrictions on hundreds of thousands of Americans and small businesses who offer public wireless connections. But they'll nevertheless have to abide by the new rules if senators go along with this idea (and it's been a popular one in the Senate).

The second point is that Internet providers already are required by another federal law to report child pornography sightings to the National Center for Missing and Exploited Children, which is in turn charged with forwarding that report to the appropriate police agency. So there's hardly an emergency, which makes the Democrats' rush for a vote more inexplicable than usual.