# A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Fighting Cybercrime on the Internet

L. Taylor - July 18, 2000

This note is based on a presentation on cybercrime by Laura Taylor, TEC Director of Security Research for the E-Gov 2000 Conference sponsored by SAIC on July 10, 2000 at the Washington Conv
ention Center.

Note: Portions of this note are excerpted from the presentation, other parts are explanatory text to relate this informat
ion to the Technology community serviced by the TEC web site. Information that was not taken directly from the presentation is in blue.
I am from a company called TEC, or TechnologyEvaluation.Com, a hybrid online destination site and research consulting company in Woburn, Massachusetts and Montreal, Canada. I have been working in the capacity of Director of Security Re
search at TEC for almost a year. Prior to TEC, I worked as Director of Information Security for CMGi’s flagship webhosting company known as Navisite. Prior to that I founded a consulting company called Relevant Technologies, which still exists, and curre
ntly I maintain a position on the board. Before that, I was CIO of Schafer Corporation.
At TEC I manage the research of security technologies and vendors, identifying and qualifying key criteria necessary to assist high-level IT decision makers in making best-choice infrastructure investments. As well, I report and analyz
e current security news events, pointing out how these events affect you, your network, and your organization. As businesses continue putting their web-enabled e-commerce sites, and the jewels of their infrastructure online, the importance of security an
d privacy is becoming increasingly critical. What I plan on talking about today is “Fighting Cybercrime on the Internet.”
My research is supported by 17 years of industry experience in the Information Technology field. There are three primary aspects of cybercrime that I will be talking about today: cyberpedophilia, keeping digital evidence pure, and miti
gating white collar cybercrime. The other various security topics that I will touch on will have to do with how processes and procedures can support the management of these three important Information Age Law Enforcement and Public Safety concerns. The v
arious security processes worth understanding include, “What are the basics for managing security in an organization? What security policies do you need? And who should you call to assist you in investigating and reporting cybercrime?”

Why Should Businesses Be Concerned About Cyberpedophilia?
Criminals, including those involved in distributing pornographic material can use your website to promulgate their wares. Unless a business protects itself with firewalls, c
ontent filters, and risk management processes, it is vulnerable to penetration by these individuals for illegal purposes. If your website is used for illegal purposes, your company can be sued. Businesses are responsible not only for securing their websi
tes against penetration, but also for insuring that the sites are not used for such illegal purposes as promoting pedophilia.
Before I start discussing how to manage cyberpedophilia, we need to first look at pedophilia in general, and understand how to identify it so that we can most expeditiously enlist the proper au
thorities, create processes for action, and work towards national and local solutions. As a general rule of thumb, behaviors that are illegal offline are illegal online, and obtaining a search warrant in part depends on one’s ability to identify what con
stitutes illegal evidence. The U.S. Code, Title 18, sections 2251, 52A, and 56 are are the definitive laws that describe the sexual exploitation of children. Since part of the problem is the lack of understanding of these laws, I’m going to take the time
to recite these important sections of our U.S. Code.
Section 2251 of Title 18 clearly states that anyone who meets the following requirements has participated in sexual exploitation of children: “Any person who employs, uses, persuades, induces, entices, or coerces any minor to engage in
, or who has a minor assist any other person to engage in, or who transports any minor in interstate or foreign commerce, or in any Territory or Possession of the United States, with the intent that such minor engage in sexually explicit conduct for the
purpose of producing any visual depiction of such conduct, shall be punished as provided under subsection (d).” And subsection (d) stipulates fined or imprisoned not less than 10 years. Section 2251 goes on to say that, “If such person knows or has reaso
n to know that such visual depiction will be transported in interstate or foreign commerce, or mailed, if that visual depiction was produced using materials that have been mailed, shipped or transported in interstate or foreign commerce by any means, inc
luding by computer, or if such visual depiction has actually been transported in interstate or foreign commerce or mailed.”
Parents, legal guardians, or anyone having custody of a minor, who “who knowingly permits such minor to engage in, or assist any other person to engage in, sexually explicit conduct for the purpose of producing any visual depiction of
such conduct shall be punished as provided under subsection (d).” Schools need to be educated and informed about the dangers online, because they too are accountable and responsible for mitigating these dangers.

How Does This Relate to Web-hosting Providers?
If we take a look at Section 2252A of Title 18, it becomes clear that a web-hosting provider who knowingly possesses child pornography on a company owned hosting server, even if it is by co
ntractual arrangement with a customer, can be held liable. From having worked at several web-hosting companies, I can assure you that today, most web hosting companies do not realize their liabilities in this area. 2252A states that accountable persons r
elating to child pornography constitutes “any person who knowingly mails, or transports, or ships in interstate or foreign commerce by any means, including by computer, any child pornography;” or any person who “knowingly receives or distributes child po
rnography that has been mailed, shipped, or transported in interstate or foreign commerce by any means, including by computer.”
Title 18, Section 2256 contains explicit definitions which apply to pedophilia, and cyberpedophilia. In that section, it clearly states that “visual depiction includes undeveloped film and videotape, and data stored on computer disk or
by electronic means which is capable of conversion into a visual image.” It should be noted that “sexually explicit conduct” includes both gay, and straight sexual acts. In fact, there are many responsible gay adults who are adamantly abhorrent of some
of these man-boy love web sites and would welcome the opportunity to help assist in getting them removed from the web.
At this point, Ms. Taylor went on to discuss computers and children, noting “Keeping children off the web, and off computers is not an
option. In fact, we need to enable online access as much as possible, in order to enable our kids’ survival as law-abiding contributing members of society.”
She further explained that “in the online world, Pedophiles do not have to expose themselves as adults to have access to kids, and usua
lly don’t. Cyberpedophiles hang-out in online chat rooms, and typically pose as children themselves… this is one of the reasons cyberpedophiles are so successful. They pretend to be kids, and do not get picked up on anyone’s radar screen as a possible th
reat. So let’s take a look at some of the kinds of online dangers that threaten our nations greatest treasure, our children.”
Possession of child pornography is a crime. In 1996, the Child Pornography Prevention Act (CPPA) was instituted specifically to combat the use of child pornography using computer technology. Often some of the servers that these illegal
images are published on also contain chat rooms which can be used to entice a one-on-one online chat with a minor.
Many webhosting companies do not even realize that they are hosting child pornography servers. Busy webhosting companies sometimes barely have enough time to answer the telephone. They sell the online publishing process, but often have
no knowledge of the content that is being published. Many pornographic domain names are purposely esoteric so as to avoid scrutiny of law enforcement and the general watchful eye of the public. How many people here have ever taken a look at Whitehouse.c
om? Whitehouse.com is often the first stop for viewers looking for the Whitehouse website before they realize that they need to use the .gov extension and type in Whitehouse.gov.
Though webhosting companies are usually compliant with law enforcement in resolving child pornography issues that come up, they are not content examiners, and as far as they are concerned, auditing content for illegalities is not a cos
t effective way to spend their resources. In fact, one of the biggest problems in combating online child pornography is the wide differences that exist in international standards and laws. When you call up a website, or domain name, the viewer does not k
now where the site is being hosted, nor does the viewer care. When a site is hosted by a country that does not view child pornography as illegal or objectionable, who’s laws apply - the country where the server is located or the viewer’s home country? On
which side of the world do you put in place the technology and content filters? Who are the authorities that you should contact to help resolve pedophile webhosting sites and illicit chat rooms?

Ms.Taylor went on to discuss cyberpedophilia as it relates to home, school, and library computers with information and guidance for parents, educators, and librarians, stati
ng that “Part of the plan needs to be teaching children how not to become cybercriminals when they grow up. Waiting until bored technology savvy teenagers start perpetrating denial of service attacks on websites
critical to our nation’s economy and safety is waiting too long to teach kids online netiquette.”

Process for Action
So how do we accomplish all this? What is our IT Agenda? Well there’s lots of work to be done. Janet Reno’s proposal for LawNet to bring states together to help fight cybercrime is an excel
lent concept. While state attorneys general are working on developing a framework for LawNet, it is important to involve technologists at an early stage to make sure the regulatory objectives are in alignment with the proper network technology. A large-s
cale technology network of any kind requires complex project management with built-in work-flow, escalation thresholds, and centralized management. If setup correctly, processes built into LawNet could expressly manage certification of cybersafe school p
ortals. The FDA regulates what kind of food we give our children in school cafeterias. Shouldn’t we have an organization that institutes and enables minimum requirements for online safety? Schools need to know which portals are safe to use. A cybersecuri
ty vision that works for our schools should be scaleable and centrally managed. Imagine the overhead and unnecessary costs if every single school in America needs to install their own firewall and content filters.
Ms. Taylor went on to discuss “Securing the schools of America from cyberthreats,” further noting that “It’s a complicated technologica
l problem that needs to be mapped strategically to the education, security, and law enforcement objectives of a greater national technology vision.”
This was followed by a detailed discussion of the issues involved for schools, parents, and law enforcement stating that, ” This new ch
ild protection law applies to all children under the age of 13 and requires that website operators contact parents and get their verifiable consent to their children’s participation in one-on-one communication systems, chat rooms, or online pen pal progr
ams. Who is enforcing this new child protection law?”
Have any websites been cited for violations of this new online child protection law? How can we find out which companies and organizations have violations in this area? Online advertising companies are notorious for collecting all kind
s of personal information about online users through the use of what is known as a web-browser “cookies” as well as online question and answer forms. If not architected appropriately, an online search engine may see searches done by a 10 year old girl wi
th the keywords “girls” and “toys” and instead return sites with adult sexual paraphernalia. Once kids get into the 6th, 7th, and 8th grades, they will assuredly on their own put profane and explicit language in search engines just to see what happens. W
e need to understand which sites are appropriate for which ages and grade levels

Just because you run a business with a web-site doesn’t mean you can ignore cyberpedophilia. Awareness will cause you to take the proper precautions and ensure that the vendors you employ a
lso take the necessary steps so that cyberpedophilia doesn’t find your site a welcome host. All adults have a responsibility to protect children.
This discussion is only a beginning, setting the need for businesses to be aware of the problem and their potential liability. In future articles on this web site, Ms. Taylor will discuss the following:

How businesses can protect themselves from cybercrime (especially cyberpedophilia)

How not to contaminate the evidence, when a cybercrime has been detected

How to effectively manage the security of your IT systems

For a transcript of the full presentation, e-mail your request (with your e-mail address) to security@technologyevaluation.com.
For information about the conference go to: