Operation Site-Key computer forensic searches ruled illegal

[Jason Coombs <jasonc () science org>]

Dear Robert,

In reference to your computer forensics-related article (below) from 
July 13, 2005, detailing computer searches ruled illegal because of the 
period of time that had elapsed from the date of alleged online purchase 
to the date of search of a defendant's Windows computer please consider 
the following:

I worked as an expert witness on behalf of the defense in a case brought 
before a military court martial under UCMJ where the defendant's name 
and credit card number was found in the site-key database.

A computer forensic examination of the defendant's Windows computer 
revealed the presence of a Trojan and a keylogger that would have 
enabled a third-party intruder to intercept the defendant's credit card 
number and use it to purchase child pornography from a Web site that 
processed credit card payments using the site-key service.

Since this time, other cases involving site-key prosecutions have come 
to me seeking computer forensics and expert witness services. Thus far 
in these other cases I have not been provided with copies of computer 
evidence to analyze, but I have been performing as much preliminary work 
as possible and the possibility has arisen that the crimes of which the 
defendants are accused may be nothing more than a "failure of 
imagination" on the part of law enforcement.

Rather than the site-key database contents reflecting true purchases of 
child pornography by actual paying customers, I believe it is possible 
that site-key was in fact a bank robbery.

From my experience with e-commerce payment processing and online 
merchant services, I know that a merchant will be allowed to withdraw 
funds from a merchant account after a relatively short period of time, 
subject to the holding "in reserve" of a pool of funds to cover expected 
"charge backs" where the customer claims fraud must have occurred and 
disputes the credit card charge.

A sophisticated group of criminals could have used the site-key service 
to commit a bank robbery by intercepting a victim's credit card 
information and taking control of the victim's Windows computer through 
the Internet by exploiting security vulnerabilities in the Windows 
operating system and through the use of spyware.

Once in control of the victim's Windows computer, and after the criminal 
is in possession of the victim's credit card information as a result of 
the installation of a keylogger program, it would have become possible 
to "shop" online at a site-key child pornography website, impersonating 
the victim.

For those suspected child pornography customers who are arrested within 
a month or two after the bogus "purchase" by them of the child 
pornography, disputing the credit card charge would have been quite 
difficult as they would have been in jail.

Disputing the charge becomes impossible upon examination of their 
Windows computer's hard drives, due to the fact that corroborating 
evidence would have been found on the suspect's computer.

I have attempted to alert law enforcement to this possibility and have 
shared the details of the court martial case in which both a Trojan and 
a keylogger were found prompting this notion that site-key was a bank 
robbery rather than truly a child pornography online business that 
attracted actual paying customers.

As you clearly have contact with the Dallas, Texas-based investigators 
and attorneys on behalf of various Operation Site-Key defendants, will 
you please make inquiries along these lines or help me make contact with 
the appropriate parties so that I may explain this theory in more detail?

Thank you kindly,

Jason Coombs
jasonc () science org

--

Stale warrants doom porn cases

Exclusive: Searches that turned up images of children ruled illegal

09:55 PM CDT on Wednesday, July 13, 2005

By ROBERT THARP / The Dallas Morning News

When Dallas police and federal agents wrapped up a sophisticated 
Internet child pornography investigation in April 2004, authorities 
boasted at a news conference that arrests could number in the thousands 
and circle the globe.

But just a few blocks away at the Dallas County criminal courthouse, 
attorneys are now quietly getting their clients' child pornography cases 
thrown out by exposing what they call a fatal flaw in the way 
investigators proceeded with their work.

The problem: Detectives obtained many of their search warrants based on 
information that was more than a year old, far longer than what 
constitutional protections from unreasonable searches allow.

"I don't think there's a line, but certainly a year is stale under 
anyone's definition," said attorney Reed Prospere, who got the charges 
thrown out for three clients.

In at least nine Dallas arrests stemming from the Internet pornography 
investigation dubbed Operation Site-Key, attorneys have successfully 
argued that child pornography seized from their clients was found during 
illegal police searches.

At least four judges have heard the arguments and ruled that the search 
warrants were in fact illegal. The cases were then dismissed because 
prosecutors had no evidence to use during trial.

Prosecutors have downgraded dozens of additional cases to misdemeanors 
rather than face a judge's ruling on the searches. So far, Dallas 
prosecutors have secured 31 convictions from the cases.

"I hate letting bad guys go," prosecutor Ada Brown said. "The issue in 
all of them is staleness."

Dallas police Lt. Ches Williams, who supervises the department's 
Internet Crimes Against Children squad, said that he'd prefer to execute 
search warrants no more than a few days after detectives develop 
suspicion of a crime but that it's just not possible in the Site-Key cases.

It's a time-intensive task to sort through the information and determine 
which cases to investigate, he said.

The cases are all based on several large lists of clients subscribing to 
child pornography sites that were seized by Dallas police. Operation 
Site-Key listed more than 30,000 paid subscribers.

Names on the lists were referred to prosecutors and other law 
enforcement agencies, which typically had to verify that names on the 
lists didn't belong to people who had their identities stolen. Search 
warrants then had to be sought to search homes and computers of the 
suspects.

Handling massive numbers of cases can take months.

"You want to get to them as quickly as you can, but there's just a 
practical matter of not having enough hours in the day and fingers on 
the keyboard," Lt. Williams said.

British investigation

Operation Site-Key and an earlier Dallas Internet investigation known as 
Operation Avalanche have spun off thousands of investigations around the 
world, some of which are also drawing criticism.

In a companion investigation in England dubbed Operation Ore, police 
arrested some people solely for having their names on the child porn 
subscription site, even if detectives did not find illegal child porn 
during searches of their homes and computers.

Several of those cases have been thrown out or suspects found not guilty 
because of a lack of evidence. But authorities in England said they've 
secured at least 1,500 convictions from Operation Ore.

"The arrests are based on inference, circumstance and extremely weak 
links of reasoning," said forensic expert Jim Bates, who has testified 
for the defense in several of the U.K. cases.

Unlike the investigations in England, Dallas police say all of their 
arrests involved the seizure of what police said was child pornography.

"You can argue the legal niceties, probable cause, staleness of 
information – only if we found it on your computer did we arrest you," 
said Bill Walsh, a Dallas police lieutenant who presided over the 
investigation until he retired this year.

Dallas attorney Tommy Mayes said it was immediately obvious to him that 
there was a problem with a search warrant that led to the seizure of 
suspected child pornography on his client's home computer in Dallas in 
June 2003.

'Hard to justify'

According to court records, the 46-year-old hospital worker became a 
suspect in the Operation Site-Key investigation in February 2002. His 
case was typical for Operation Site-Key detectives – because he was 
believed to be a subscriber, police sought a search warrant to examine 
his home computer for illegal pornography.

But Mr. Mayes argued in court that the warrant was illegal because 
police had waited too long – more than 16 months – to act on their 
suspicions.

"It's hard for anyone to be in favor of child pornography. I'm a 
grandfather," Mr. Mayes said. "But it's hard to justify the behavior of 
the government. ... I'm more concerned about the government using this 
method of getting the evidence."

In each of the search warrant challenges, prosecutors have argued that 
the long police lag time should not pose a legal problem because those 
who possess child porn are different than other criminal suspects. 
Unlike a drug dealer or a murder suspect, those who view child 
pornography tend to save evidence and rarely destroy or get rid of it, 
prosecutors argued.

Judges presented with the argument have not agreed.

Ms. Brown said she has had no choice but to dismiss the cases after 
judges suppressed the search warrants.

The dismissed cases include ones where suspects have given police 
confessions about possessing illegal porn. But even the confessions have 
been thrown out because judges have ruled that they were also the 
products of the illegal searches.

Federal inquiries

Federal authorities have had more success in their investigations 
related to Operation Site-Key. The cases were initially parceled out to 
federal agents and local police based on which agency could get the 
highest punishment range for each charge, said Kathy Colvin, a 
spokeswoman for the U.S. attorney's office.

"We're not aware of any federal child porn charge in this district which 
has been dismissed, had charges dismissed, or a conviction that was 
overturned," Ms. Colvin said.

Ms. Brown said that such Internet investigations are complicated and 
take time to work, but court rulings do not support such delays. Perhaps 
legal precedents have not caught up to the complicated nature of these 
investigations, she said.

"At best the case law gives you a couple of weeks or a month or two," 
Ms. Brown said. "Some of mine were as long as a couple years."

Staff writer Tim Wyatt contributed to this report.

E-mail rtharp () dallasnews com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/