What to do if you find child porn on your computer (and you didn’t put it there)

The following is not legal advice. It is common sense based on observation and research, and prompted by recent events in North Las Vegas. I am not authorized to dispense legal advice. Take it for what it’s worth.

If you see something on your computer that looks like child porn, shut it down immediately. Take it straight to your attorney’s office, or to your human resources manager if it’s a company-issued device. Your attorney or the company’s legal counsel should lock up the device, find an independent forensic expert, and then reach out to the authorities to arrange an examination involving their experts and yours.

The guy at the Apple store is not an expert. Neither is the IT guy at your company. Neither is your nephew, the computer science major. And police officers with training in digital forenics are not independent. They are employees of a system that’s very unforgiving of child porn possession.

If the mayor of North Las Vegas received a malware-laced email with a pornography payload, he’s certainly not the first. Cyberattacks bearing porn have become more common. Last year, the geek press reported on a ransomware variant called Kovter, which is capable of changing browser history to add pornography sites, and sometimes deposits child porn.

Some of the attacks are designed to spread through entire organizations, using the first recipient’s computer as a point of entry. Some target a specific person, perhaps someone with a lot to lose professionally.

If you call the police to report that you’ve found a dead body in your kitchen, you will receive due process under the law. They will question you, and they will preserve the evidence as perfectly as they find it. Even if they decide you’re a murder suspect and they arrest you, you’ll get a lawyer and the presumption of innocence in court.

But child porn is so toxic that it seems to cause brain melt. Comments from authorities in the North Las Vegas case suggest that they somehow viewed wiping the device as a favor to its owner, who may now be faced with proving a negative. Sophisticated recovery methods notwithstanding, the original data would have offered the best chance of proving what really happened.

Consider also the peripheral parties who have been perfectly happy to chime in with unqualified opinions based on – what? Based on nothing, because at this point, there’s nothing concrete on which to base an opinion. But for the brain melt, most professionals might choose to withhold comment during such a consequential investigation.

Brain melt is not unique to this episode. Think back to stories about dopey teens facing possible child porn charges for sending nude selfies to classmates. One forensic expert who spoke at a conference said he’d been prosecuted for possession of images received from a defense attorney who’d retained him to work on a case. This sent perceptible shivers down the spines of conference attendees who might have been willing to take such cases.

Bottom line – everyone whose email address is published on a website or a business card is a potential target for this kind of attack, whether it’s random, or customized to do specific damage. A knee-jerk response born of panic is understandable, but this not a purse snatching. Stop and breathe, and think.

Attorneys and employers must learn what to do. Isolate the device. Every command you enter – even simply turning on the device – might alter evidence. The passage of time can alter evidence. Helpful people with poor training or improper motives can alter evidence. Preserving the evidence is the best form of protection for everyone, including any children who may have been exploited.