The Computer as Crime Scene
Michael Gemignani

When most folks think of criminal activity, the computer is not the first thing that comes to mind.

But computers are arguably one of the most powerful instruments of crime in history. A poor sucker who robs a bank may get a few thousand dollars. He will almost invariably be caught and may wind up spending decades in jail. But a cybercriminal who causes billions of dollars in damage (witness the conficker worm), or who manages to steal millions of dollars electronically, may not even get caught and, if caught, is not liable to spend a much time in prison as the low tech robber. Computers offer the opportunity for theft and vandalism on an unprecedented scale. Some feel that the next world war may not be fought by soldiers with guns and bombs but by hackers who try to destroy a nation’s power, utility, economic and communication capabilities.
However, we do not have to think in terms of grandiose acts or international plots for a computer to be associated with criminal activity. The fact is that even seemingly innocent activity can get a user in trouble with the law.
Suppose, for example, that pornography, or worse, child pornography, was found on your computer. Many companies will fire an employee if they find pornography on a computer that the employee uses at, or for, work. If child pornography is found, the computer user is subject to harsh criminal penalties. But one need not even download pictures to be subject to prosecution.
The relevant federal statutes are sections 2252A and 2256 et seq. of chapter 110 of Part I of Title 18, which is the United States Criminal Code. Child pornography basically involves the depiction of someone under age 18 engaging in sexually explicit activity.
 It is not required that someone actually have downloaded child pornography. The law applies if someone attempts to violate the provisions against possessing child pornography. Thus, if the FBI were to established a decoy website that purports to provide child pornography, as some allege has already happened, someone clicking on the website could trigger an investigation and possible prosecution. Lest you think such language is overly broad and therefore unconstitutional, be aware that the Supreme Court of the United States has already ruled the statutes to be constitutional in their entirety as written.
I am not by any means defending the loathsome trade in child pornography. Nor do I seek to defend those who deliberately seek out child pornography. However, as is well-known to those who do not exercise appropriate caution, malware can play all sorts of tricks on a computer, including downloading images that the user would ordinarily avoid completely, usually without the user’s knowledge. If a worker is provided a computer by his or her employer, the computer may already have illicit files stored on the hard drive and the new user may be none the wiser.
What of it, you might ask? Surely the police would understand that it was not the current user but, rather, the previous user or malicious software that downloaded the illegal files. But suppose such files were found on your own computer. How would you prove that you were not the one who downloaded them? If child pornography were found on your hard drive, how could you convince someone that you were not the one who put it there? Indeed, if someone at work wanted to get you fired and the person had the requisite expertise, he could put incriminating files on your hard drive and then let it be known to your superiors that he had observed you downloading pornography on the job.
The saving grace in all this, if there is one, is that one is presumed innocent until proven guilty. Hence you would not be required to prove that you did not download the files. Rather, the police would be required to prove that you did, and this might be quite difficult, particularly if your computer were found to be riddled with malware, or it could be shown that someone had hacked into your machine, or that your machine had been used by others.
Even if the charges were dropped, or never even filed, because they could not prove that you downloaded the illicit files or even knew about them, you would still suffer unimaginable emotional trauma, legal expenses, and the probable loss of your job. Moreover, the failure to prosecute would not be the same as exoneration. You would still be under the cloud of having the material found on your machine. Mere pornography can get you fired. Child pornography can get you five to twenty years in prison.
Detective stories often feature someone poisoning another’s food or attempts to frame someone for a crime. Now we have the added possibility of poisoned computers destroying lives or being used to frame others for crimes they did not commit. Hope it does not happen to you.
The Rev. Dr. Michael Gemignani, an attorney and Episcopal priest, is also a former professor of computer science who has written extensively on legal issues related to computers. Although he is now retired, he enjoys writing and speaking about computer law and security. Contact him at mgmign2@hal-pc.org with any questions or comments about this topic.