Search This Blog

Thursday, June 12, 2008

Click the wrong link and wind up in jail

by John Sheesley, Section Editor Tech Republic

In the 10 Things blog, Deb Shinder recently pointed out 10 ways you might be breaking the law with your computer and not even know it. There’s yet another way that wasn’t mentioned in that article. Specifically it has to do with recent arrests made by the FBI in suspected child pornography cases.

As has been reported in and elsewhere, the FBI has been recently employing fake Web sites to lure people into child pornography. A suspect doesn’t have to have any child pornography on his computer either. Merely clicking the link is enough to trigger an investigation, search warrants, and the resultant perp walk, whether or not there was any intent to indeed consume child pornography as part of the clicking.


With most normal criminal law, part of the element of the crime is the intent to commit the offense that you’ve been arrested for. Not so in this case. The FBI has been using a small clause in the U.S. Code related to “Certain activities relating to material involving the sexual exploitation of minors.” The relevant fine print is down in Subsection (b):

(1) Whoever violates, or attempts or conspires to violate, paragraphs (1), (2), or (3) of subsection (a) shall be fined under this title and imprisoned not less than 5 years and not more than 20 years…

(2) Whoever violates, or attempts or conspires to violate, paragraph (4) of subsection (a) shall be fined under this title or imprisoned not more than 10 years, or both…

The bold and italics on “or attempts” are mine. It’s to highlight the fact that the mere attempt, which can, and has been construed to, mean merely clicking a link, is enough to enact the statute. Don’t be surprised. Lawyers and law enforcement often fight over the meaning of a single word. As a matter of fact, the Supreme Court ruled that the entire law was constitutional as written.

The only defense that can be made to the charge is that if there are found to be less than 3 images on a computer and the user:

(2) promptly and in good faith, and without retaining or allowing any person, other than a law enforcement agency, to access any visual depiction or copy thereof—

(A) took reasonable steps to destroy each such visual depiction;
(B) reported the matter to a law enforcement agency and afforded that agency access to each such visual depiction.
Improbable cause

But what if the user didn’t know the images were on the computer? Or what if the user didn’t know what the Web site was before it was clicked?

Sorry. That doesn’t count. The link got clicked. The images are on the computer. Go to jail. Go directly to jail. Don’t pass Go. Don’t collect $200.

Certainly such a thing wouldn’t happen, right? The only way someone could go to a kiddie porn site was to find the link and intentionally click it. As an IT leader you do, or should, know better.

There are many, many different ways users can be tricked into clicking things or winding up on sites they shouldn’t have. First, there’s the obvious things that can happen when viruses or other malware redirect browsers to go places they’re not supposed to. Someone could program a simple redirect in a Web site, maybe through something as simple as a clear gif, forwarding a browser to the target Web site. Even something as simple as creating a link in TinyURL that points to
the site.

TinyURL is especially dangerous, because there’s no way to know exactly what the destination address is before the user goes there. It could be an easy tool for one user to use against another as a cruel joke or some form of retaliation.

Even some modern browsers can potentially cause problems and automatically visit a site without a user clicking a link. Some browsers like Firefox may precache links to Web sites, loading the images and content for a site without your even having to click through to the site. Theoretically this is to speed load times for a user in case he or she decides to go to a linked site. As you can see, however, if the link goes to the FBI’s site, a click wouldn’t even have to occur. The browser would contact the site and attempt to pull content.

The agent who has pinned your user to the floor and is rummaging through your company’s office space doesn’t know whether the user clicked the content or a browser precached it. Nor does he particularly care. An attempt was made, and that’s all it takes.

Extrapolate the problem

It’s bad enough if the attempt occurred at an employee’s home. The FBI may choose to expand the search warrant to the employee’s place of business, potentially wreaking havoc on your entire business. Just think about the problems that could occur if such a violation occurred from within the workplace itself. In such a case, the entire workplace could be disrupted as law enforcement tries to figure out exactly who the perp is.

This would also be a good place to remind you about the implications of an unsecured wireless access point. Should the access to the faked site come from your organization but from an unsecured access point, you’re still going to be in for a whole lot of headaches.

The bottom line for IT leaders

As if you didn’t have enough to worry about on a day-to-day basis, add to the pile the possibility of a visit by law enforcement because of the accidental, precached, or tricked-into clicking of a fake child pornography site. It’s impossible to defend child pornography, but the way the law is currently written and zealously enforced, you need to be aware of the potential problem. The current broad interpretation can lead to extreme problems for your users, your organization, and you personally.

Have an acceptable use policy in place. Make sure users know where they should and should not go, both at home and especially at work. Warn them about the dangers of clicking through any TinyURL link. Consider banning the usage of TinyURL from work and blocking the domain. Reinforce the information about malware that may redirect them to places they don’t want to go.

Make sure your entire network is secure from unauthorized remote access, especially unsecured wireless access points. Remember, the violation only has to come from somewhere within your organization. A hacker in the parking lot surfing free Internet is just as bad as Mary in Accounting accessing one of these sites.

Make sure your users inform you if they wind up on a site with illicit content. Don’t violate the law yourself by viewing the content, but make sure you thoroughly remove any potentially incriminating files. The best way to do so is from the command line.

Finally, keep the company’s lawyer on speed-dial. Consult your company’s attorney to see what to do from there.

No comments:

Search Box

Lap Top Security

Software Migo


Computers, Software, Peripherals


Search BoX