Story image

Paedophilia and the ‘Trojan defence’

27 Nov 09

This is a follow-up of sorts to Jeff Debrosse's thoughtful post recently on the problem of possible conviction for the possession of illegal paedophiliac material of individuals who had no knowledge of its presence. More recently, a tweet by Bob McMillan drew my attention to an article by Geoff Liesik on “Authorities scoff at 'child porn virus' tale". This revisits the schism between those who believe that the SODDI (Some Other Dude Did It) defence is about as convincing as "the dog ate my homework", and those who are concerned that natural revulsion at paedophile activity and eagerness to prosecute those who practice it may lead to the conviction of innocent parties.
The SODDI defence been slightly misrepresented in some places. The paedophile's ‘Trojan defence’ has been around for several years and centres around the assertion that malware got installed, downloaded illegal material, then removed itself leaving no trace behind but the pornography. This defence has been accepted in the past, but a sophisticated jury nowadays is likely to wonder why such a Trojan (which is not technically impossible, though unlikely) would have been installed. The likeliest scenario is, I suppose, thatone person might use the technique to‘frame’ another. However, an investigator would still be interested in the identity and motivation of the malefactor, as well as the technical and forensic issues of access and programmatic behaviour.

The ‘Trojan defence’is likeliest to fail when there's illegal content remaining on the inspected computer but no trace of any malware found,or malware is found that has never been known to have that particular payload (i.e., to download illegal material).

Avariation of that defence has, however,become stronger in recent years where malware is found on a system under investigation - that's because of the way the malware threat has evolved. No one, as far as I'm aware, has found an (untargeted) malicious program that always downloads illegal porn to a victimised system. However,if you find, as has been suggested in some reports, that there is something installed that is still downloading child-related pornography at the time of investigation,and you can state with some certainty that ‘something’ is malware rather than a black utility deliberately installed by the user to facilitate the downloading of illegal material,there maybe a viable defence.

Unfortunately, if you find malware that doesn't have that payload, it's still possible to argue that it might nevertheless have had it at some point since the machine was infected, because it's highly characteristic of botnets to change the function performed by individual infected machines according to the changing requirements of the botmeister or his customers.

Certainly, that's far too much like a get-out-of-jail-free card for my taste. I'm not in favour of imprisoning the innocent, but I'm not enthusiastic about freeing the guilty, either, and I suspect that a lot of guilty people will try to use this approach.

However, the only way I can see of mitigating - not fixing - this ambiguity is by absolutely scrupulous forensic examination. Nonetheless, maintaining the integrity of the chain of evidence is, though critical,by no means the hardest part of the problem. The only sort of forensic investigation that stands a chance of giving useful information in this scenario involves all sorts of legal, resourcing and administrative complications - to do it properly requires even more than forensic skill and in-depth knowledge of malware (not to mention a strong stomach). In most jurisdictions, it also requires clearance to work with this sort of material. (Not a job that most of us would relish, and one with a notoriously high burn-out rate.)

Even worse, the sort of examination that's hinted at in some of the rather woolly recent reports suggests a form of dynamic analysis that involves reproducing the illegal behaviour. Sometimes this may be the only way of gathering evidence, but it's an approach with obvious legal implications.

A more generic legal approach might be to link the fact that at least one of the ‘victims’ cited in recent reports did admit to downloading ‘adult’ porn, which, irrespective of legality or morality, escalates the risk of exposure to malware and to other forms of porn. Porn merchants don't care about what they push as long as they don't expose themselves to punitive action. So there's an element of reckless endangerment, especially when a victim doesn't have properly functional security software, as in that particular instance. But there's also the issue that the individual concerned, who is apparently still serving his sentence, may well have been drastically disadvantaged because the court effectively curtailed defence testimony because of the cost of continuing the forensic examiner's investigation.

The JulieAmero case - though not directly concerned with child pornography - is somewhat apposite in that it was compromised by significant forensic flaws and the presence of ineffective, obsolete security software. No report I've seen has mentioned specific malware (most have just said “viruses", and use of that term in itself makes it hard to estimate how much credence to give to the reports). The ‘take home’ point here is that in principle many malicious programmes might have that functionality at some point in their life-cycles: for instance, in order to use a victim's machine as a repository for illegal material. One of the toughest jobs I ever did for the National Health Service in the UK was writing guidelines for handling child-porn-related issues in a way that didn't break UK legislation or governmental directives (or simply give PR-sensitive management a heart attack). It would be (much) harder still now.

InternetNZ welcomes Govt's 99.8% broadband coverage plan
The additional coverage will roll out over the next four years as part of the Rural Broadband Initiative phase two/Mobile Black Spots Fund (RBI2/MBSF) programme expansion.
Dr Ryan Ko steps down as head of Cybersecurity Researchers of Waikato
Dr Ko is off to Australia to become the University of Queensland’s UQ Cyber Security chair and director.
Radware joins Chillisoft’s expanding portfolio
The cloud DDoS prevention, app delivery controller, and web app firewall expert is another step toward a total enterprise security portfolio.
Commerce Commission report shows fibre is hot on the heels of copper
The report shows that as of 30 September 2018 there were 668,850 households and businesses connected to fibre, an increase of 45% from 2017.
Wearables market flourishing - fuelled by smartwatches
A market that has stuttered in the past now has a bright forecast as adoption of wearable technology continues to thrive.
The tech that helped the first woman to sail around Australia
Lisa Blair used devices from supplied by Pivotel to aid her in becoming the first woman to circumnavigate Australia non-stop.
Why there will be a battle for the cloud in 2019
Cloud providers such as AWS, Azure, and Google will likely find themselves in a mad scramble to gain additional enterprise customers.
WLAN market picks up thanks to high-end products
Dell’Oro Group have released a report showing that the WLAN market picked up in 2Q18 as 802.11ax saw its first shipments.