The South Carolina legislature recently modified an anti-pedophilia state law to require IT people discovering child pornography on a system to report the computers user to authorities. Sounds reasonable, right? After all, its pretty hard for a rational person to argue in favor of protecting those who buy or traffic in kiddie porn.
But theres more to this legislation than meets the eye. A common tenet of non-Internet law is that evidence obtained during a search must at least withstand some test of nonrepudiation before it can be used against the accused.
The wide variety of ways that data can be stored and transferred on computers, however, provides a more difficult road to presumed guilt. Therefore, IT professionals ought not be put in the position of reporting a co-worker when the evidence stands such a good chance of being misleading or fraudulent. Indeed, theres little chance that hard disk possession of illicit files would ever hold up in court as concrete evidence of guilt.
This issue also puts employers in a terrible liability bind. Security professionals have for years been asserting company ownership of systems, networks and the information assets they engender in order to limit personal use of company resources by employees. The difficulty arises when laws, such as the one in South Carolina, put employers in the position of, on one hand, asserting ownership of systems and networks while on the other denying the same domain over the less savory things that may be found on company systems.
And lets look at it from the suspects point of view. The underlying assumption in the South Carolina law is that the computer user or “owner” has ultimate control over his or her computer and exclusive permission to place files and directories on that system. This is untrue in almost every case. System administrators typically have the run of every office workstation and, certainly, if child porn is discovered on a hapless users network drive, there is nothing whatsoever to prove that an IT employee with sufficient privilege—and a grudge to exercise—didnt plant the explicit files.
It creates a Catch-22 situation that companies should fight by opposing such legislation when it appears on the horizon. Its a no-win for companies and for the vast majority of employees, while doing nothing that will truly lead to a decrease in child pornography.
The truly smart pedophile will simply use file encryption mechanisms to scramble and disguise kiddie porn so it will be very difficult to view or use as evidence if found.
IT staff and their employers should resist being cast as pornography cops. And any legislation that suggests that this is a reasonable response to the issue is merely a smoke screen until a real solution can be found.
