Introduction
This note is based on a presentation on cybercrime
by Laura Taylor, TEC Director of Security Research for the E-Gov 2000
Conference sponsored by SAIC on July 10, 2000 at the Washington Convention
Center.
Note:
Portions of this note are excerpted from the presentation, other parts
are explanatory text to relate this information to the Technology community
serviced by the TEC web site. Information that was not taken directly
from the presentation is in blue.
I
am from a company called TEC, or TechnologyEvaluation.Com, a hybrid online
destination site and research consulting company in Woburn, Massachusetts
and Montreal, Canada. I have been working in the capacity of Director
of Security Research at TEC for almost a year. Prior to TEC, I worked
as Director of Information Security for CMGi's flagship webhosting company
known as Navisite. Prior to that I founded a consulting company called
Relevant Technologies, which still exists, and currently I maintain a
position on the board. Before that, I was CIO of Schafer Corporation.
At
TEC I manage the research of security technologies and vendors, identifying
and qualifying key criteria necessary to assist high-level IT decision
makers in making best-choice infrastructure investments. As well, I report
and analyze current security news events, pointing out how these events
affect you, your network, and your organization. As businesses continue
putting their web-enabled e-commerce sites, and the jewels of their infrastructure
online, the importance of security and privacy is becoming increasingly
critical. What I plan on talking about today is "Fighting Cybercrime on
the Internet."
My research is supported by 17 years of industry experience in the Information
Technology field. There are three primary aspects of cybercrime that I
will be talking about today: cyberpedophilia, keeping digital evidence
pure, and mitigating white collar cybercrime. The other various security
topics that I will touch on will have to do with how processes and procedures
can support the management of these three important Information Age Law
Enforcement and Public Safety concerns. The various security processes
worth understanding include, "What are the basics for managing security
in an organization? What security policies do you need? And who should
you call to assist you in investigating and reporting cybercrime?"
Figure
1. Fighting Cybercrime
Why
Should Businesses Be Concerned About Cyberpedophilia?
Criminals, including those involved in distributing
pornographic material can use your website to promulgate their wares.
Unless a business protects itself with firewalls, content filters, and
risk management processes, it is vulnerable to penetration by these individuals
for illegal purposes. If your website is used for illegal purposes, your
company can be sued. Businesses are responsible not only for securing
their websites against penetration, but also for insuring that the sites
are not used for such illegal purposes as promoting pedophilia.
Before
I start discussing how to manage cyberpedophilia, we need to first look
at pedophilia in general, and understand how to identify it so that we
can most expeditiously enlist the proper authorities, create processes
for action, and work towards national and local solutions. As a general
rule of thumb, behaviors that are illegal offline are illegal online,
and obtaining a search warrant in part depends on one's ability to identify
what constitutes illegal evidence. The U.S. Code, Title 18, sections 2251,
52A, and 56 are are the definitive laws that describe the sexual exploitation
of children. Since part of the problem is the lack of understanding of
these laws, I'm going to take the time to recite these important sections
of our U.S. Code.
Section
2251 of Title 18 clearly states that anyone who meets the following requirements
has participated in sexual exploitation of children: "Any person who employs,
uses, persuades, induces, entices, or coerces any minor to engage in,
or who has a minor assist any other person to engage in, or who transports
any minor in interstate or foreign commerce, or in any Territory or Possession
of the United States, with the intent that such minor engage in sexually
explicit conduct for the purpose of producing any visual depiction of
such conduct, shall be punished as provided under subsection (d)." And
subsection (d) stipulates fined or imprisoned not less than 10 years.
Section 2251 goes on to say that, "If such person knows or has reason
to know that such visual depiction will be transported in interstate or
foreign commerce, or mailed, if that visual depiction was produced using
materials that have been mailed, shipped or transported in interstate
or foreign commerce by any means, including by computer, or if such visual
depiction has actually been transported in interstate or foreign commerce
or mailed."
Parents,
legal guardians, or anyone having custody of a minor, who "who knowingly
permits such minor to engage in, or assist any other person to engage
in, sexually explicit conduct for the purpose of producing any visual
depiction of such conduct shall be punished as provided under subsection
(d)." Schools need to be educated and informed about the dangers online,
because they too are accountable and responsible for mitigating these
dangers.
How
Does This Relate to Web-hosting Providers?
If we take a look at Section 2252A of Title 18, it becomes clear that
a web-hosting provider who knowingly possesses child pornography on a
company owned hosting server, even if it is by contractual arrangement
with a customer, can be held liable. From having worked at several web-hosting
companies, I can assure you that today, most web hosting companies do
not realize their liabilities in this area. 2252A states that accountable
persons relating to child pornography constitutes "any person who knowingly
mails, or transports, or ships in interstate or foreign commerce by any
means, including by computer, any child pornography;" or any person who
"knowingly receives or distributes child pornography that has been mailed,
shipped, or transported in interstate or foreign commerce by any means,
including by computer."
Title
18, Section 2256 contains explicit definitions which apply to pedophilia,
and cyberpedophilia. In that section, it clearly states that "visual depiction
includes undeveloped film and videotape, and data stored on computer disk
or by electronic means which is capable of conversion into a visual image."
It should be noted that "sexually explicit conduct" includes both gay,
and straight sexual acts. In fact, there are many responsible gay adults
who are adamantly abhorrent of some of these man-boy love web sites and
would welcome the opportunity to help assist in getting them removed from
the web.
At
this point, Ms. Taylor went on to discuss computers and children, noting
"Keeping children off the web, and off computers is not an option. In
fact, we need to enable online access as much as possible, in order to
enable our kids' survival as law-abiding contributing members of society."
She
further explained that
"in the online world, Pedophiles do not have to expose themselves as adults
to have access to kids, and usually don't. Cyberpedophiles hang-out in
online chat rooms, and typically pose as children themselves this is
one of the reasons cyberpedophiles are so successful. They pretend to
be kids, and do not get picked up on anyone's radar screen as a possible
threat. So let's take a look at some of the kinds of online dangers that
threaten our nations greatest treasure, our children."
Possession
of child pornography is a crime. In 1996, the Child Pornography Prevention
Act (CPPA) was instituted specifically to combat the use of child pornography
using computer technology. Often some of the servers that these illegal
images are published on also contain chat rooms which can be used to entice
a one-on-one online chat with a minor.
Many
webhosting companies do not even realize that they are hosting child pornography
servers. Busy webhosting companies sometimes barely have enough time to
answer the telephone. They sell the online publishing process, but often
have no knowledge of the content that is being published. Many pornographic
domain names are purposely esoteric so as to avoid scrutiny of law enforcement
and the general watchful eye of the public. How many people here have
ever taken a look at Whitehouse.com? Whitehouse.com is often the first
stop for viewers looking for the Whitehouse website before they realize
that they need to use the .gov extension and type in Whitehouse.gov.
Figure
2. Cybersafe Portals Need to be Protected
Though
webhosting companies are usually compliant with law enforcement in resolving
child pornography issues that come up, they are not content examiners,
and as far as they are concerned, auditing content for illegalities is
not a cost effective way to spend their resources. In fact, one of the
biggest problems in combating online child pornography is the wide differences
that exist in international standards and laws. When you call up a website,
or domain name, the viewer does not know where the site is being hosted,
nor does the viewer care. When a site is hosted by a country that does
not view child pornography as illegal or objectionable, who's laws apply
- the country where the server is located or the viewer's home country?
On which side of the world do you put in place the technology and content
filters? Who are the authorities that you should contact to help resolve
pedophile webhosting sites and illicit chat rooms?
Authorities
Ms.Taylor went on to discuss cyberpedophilia as
it relates to home, school, and library computers with information and
guidance for parents, educators, and librarians, stating that "Part
of the plan needs to be teaching children how not to become cybercriminals
when they grow up. Waiting until bored technology savvy teenagers start
perpetrating denial of service attacks on websites critical to our nation's
economy and safety is waiting too long to teach kids online netiquette."
Process
for Action
So how do we accomplish all this? What is our IT Agenda? Well there's
lots of work to be done. Janet Reno's proposal for LawNet to bring states
together to help fight cybercrime is an excellent concept. While state
attorneys general are working on developing a framework for LawNet, it
is important to involve technologists at an early stage to make sure the
regulatory objectives are in alignment with the proper network technology.
A large-scale technology network of any kind requires complex project
management with built-in work-flow, escalation thresholds, and centralized
management. If setup correctly, processes built into LawNet could expressly
manage certification of cybersafe school portals. The FDA regulates what
kind of food we give our children in school cafeterias. Shouldn't we have
an organization that institutes and enables minimum requirements for online
safety? Schools need to know which portals are safe to use. A cybersecurity
vision that works for our schools should be scaleable and centrally managed.
Imagine the overhead and unnecessary costs if every single school in America
needs to install their own firewall and content filters.
Ms.
Taylor went on to discuss
"Securing the schools of America from cyberthreats," further noting that
"It's a complicated technological problem that needs to be mapped strategically
to the education, security, and law enforcement objectives of a greater
national technology vision."
This
was followed by a detailed discussion of the issues involved for schools,
parents, and law enforcement stating that,
" This new child protection law applies to all children under the age
of 13 and requires that website operators contact parents and get their
verifiable consent to their children's participation in one-on-one communication
systems, chat rooms, or online pen pal programs. Who is enforcing this
new child protection law?"
Have
any websites been cited for violations of this new online child protection
law? How can we find out which companies and organizations have violations
in this area? Online advertising companies are notorious for collecting
all kinds of personal information about online users through the use of
what is known as a web-browser "cookies" as well as online question and
answer forms. If not architected appropriately, an online search engine
may see searches done by a 10 year old girl with the keywords "girls"
and "toys" and instead return sites with adult sexual paraphernalia. Once
kids get into the 6th, 7th, and 8th grades, they will assuredly on their
own put profane and explicit language in search engines just to see what
happens. We need to understand which sites are appropriate for which ages
and grade levels.
Conclusion
Just because you run a business with a web-site doesn't mean you can ignore
cyberpedophilia. Awareness will cause you to take the proper precautions
and ensure that the vendors you employ also take the necessary steps so
that cyberpedophilia doesn't find your site a welcome host. All adults
have a responsibility to protect children.
This
discussion is only a beginning, setting the need for businesses to be
aware of the problem and their potential liability. In future articles
on this web site, Ms. Taylor will discuss the following:
- How business
can protect themselves from cybercrime (especially cyberpedophilia)
- How not
to contaminate the evidence, when a cybercrime has been detected
- How to
effectively manage the security of your IT systems
For a transcript
of the full presentation, e-mail your request (with your e-mail address)
to security@technologyevaluation.com.
For information
about the conference go to:
http://www.e-gov.com/egov2000/