What to do if you find child porn on your computer (and you didn’t put it there)

The following is not legal advice. It is common sense based on observation and research, and prompted by recent events in North Las Vegas. I am not authorized to dispense legal advice. Take it for what it’s worth.

If you see something on your computer that looks like child porn, shut it down immediately. Take it straight to your attorney’s office, or to your human resources manager if it’s a company-issued device. Your attorney or the company’s legal counsel should lock up the device, find an independent forensic expert, and then reach out to the authorities to arrange an examination involving their experts and yours.

The guy at the Apple store is not an expert. Neither is the IT guy at your company. Neither is your nephew, the computer science major. And police officers with training in digital forenics are not independent. They are employees of a system that’s very unforgiving of child porn possession.

If the mayor of North Las Vegas received a malware-laced email with a pornography payload, he’s certainly not the first. Cyberattacks bearing porn have become more common. Last year, the geek press reported on a ransomware variant called Kovter, which is capable of changing browser history to add pornography sites, and sometimes deposits child porn.

Some of the attacks are designed to spread through entire organizations, using the first recipient’s computer as a point of entry. Some target a specific person, perhaps someone with a lot to lose professionally.

If you call the police to report that you’ve found a dead body in your kitchen, you will receive due process under the law. They will question you, and they will preserve the evidence as perfectly as they find it. Even if they decide you’re a murder suspect and they arrest you, you’ll get a lawyer and the presumption of innocence in court.

But child porn is so toxic that it seems to cause brain melt. Comments from authorities in the North Las Vegas case suggest that they somehow viewed wiping the device as a favor to its owner, who may now be faced with proving a negative. Sophisticated recovery methods notwithstanding, the original data would have offered the best chance of proving what really happened.

Consider also the peripheral parties who have been perfectly happy to chime in with unqualified opinions based on – what? Based on nothing, because at this point, there’s nothing concrete on which to base an opinion. But for the brain melt, most professionals might choose to withhold comment during such a consequential investigation.

Brain melt is not unique to this episode. Think back to stories about dopey teens facing possible child porn charges for sending nude selfies to classmates. One forensic expert who spoke at a conference said he’d been prosecuted for possession of images received from a defense attorney who’d retained him to work on a case. This sent perceptible shivers down the spines of conference attendees who might have been willing to take such cases.

Bottom line – everyone whose email address is published on a website or a business card is a potential target for this kind of attack, whether it’s random, or customized to do specific damage. A knee-jerk response born of panic is understandable, but this not a purse snatching. Stop and breathe, and think.

Attorneys and employers must learn what to do. Isolate the device. Every command you enter – even simply turning on the device – might alter evidence. The passage of time can alter evidence. Helpful people with poor training or improper motives can alter evidence. Preserving the evidence is the best form of protection for everyone, including any children who may have been exploited.

Advertisements

Senate Bill 188: A flirtation with Orwell

A few weeks ago, Phil, my friend and co-worker, drove off the road after failing to negotiate a curve. May God rest his soul. It was an accident, and there’s no other word to describe the tragic event that took the life of a smart, active 30-year-old who savored every day.

But that word may be expunged from Nevada law. Senate Bill 188 would strike all statutory references to traffic “accidents,” and substitute the word “crash.” It’s part of an effort to change the collective mindset about public safety, according to the bill’s sponsor, Senator Mark Manendo. He cites the adoption of “crash” as preferred terminology at the National Highway Traffic Safety Administration.

DUI Victim Advocate Sandy Heverly is a cheerleader for the language change. She says “accident” is misleading because it implies no fault.

“’Accident’ is deeply offensive,” Heverly says. It impedes recovery for the victims of drunk, reckless, or negligent drivers.

Heverly says motor vehicle crashes are “predictable and preventable events.” Her claim is questionable as a general premise. Many collisions are preventable, but accidents by definition are not predictable. Nonetheless, SB188 got a unanimous thumbs-up on the floor of the Nevada Senate, and  has proceeded to the other house.

In this week’s Assembly Transportation Committee hearing, it was only insurance lobbyists who commented. They’d been blindsided by the bill, even though it’s insurers who are most interested in sorting out blame after an accident. For students of political wordsmithing, these are authentic stakeholders. They ventured that SB188 could create an expensive and time-consuming challenge for insurers. All business forms and customer contracts would have to be re-written to eliminate the offending word.

Why is the legislature, which frequently complains that 120 days is insufficient to accomplish the people’s business, engaged in this Orwellian exercise? Beyond supporting the magical notion that scrubbing a word from the state’s official language will improve road safety, it’s anybody’s guess. So let’s guess.

Perhaps SB 188 paves the way for driverless cars. Nevada wants to be on technology’s bleeding edge, you should pardon the expression. If human drivers cause “accidents,” but robotic vehicles “crash,” maybe we’re preparing for the day when juries will consider algorithms rather than human intent.

Is SB188 intended to devalue human reasoning? If it’s always a crash, and never an accident, everyone has less discretion, from the first investigator on the scene to the judge who hands down fines and sentences. This empowers prosecutors and the trial bar, and why shouldn’t we openly discuss that?

Can the SB188 concept be extended to all areas of life where legal liability exists? Recall the Florida man who recently shot a friend in the head while stupidly twirling his handgun as if he were the star of a cowboy movie. Yes, every unintended shooting is preventable, but they’re all accidents.

And what’s this about reprogramming our thinking? Who made NTHSA the arbiter of proper thought? Who gave DUI victims the right to universally apply language that soothes their anger and pain? You’re entitled to your own beliefs about why things happen, but please, stay out of my head. Some of us believe tragedy compels contemplation of God, fate, karma, or synchronicity, not parsing of language.

If public brainwashing could reduce traffic accidents – accidents! – Nevada would have the safest roads on the planet. How many public safety campaigns have we, the media, covered? How many words urging cautious driving have been written, broadcast, and posted on billboards? How many tearful victims have told their stories in classrooms, courtrooms, and newscasts?

Victim advocates are offended by the word “accident.” Perhaps a certain forgivable myopia afflicts those who spend all their working hours with victims. But it’s also grossly disrespectful —  and, by the way, it’s patently false to assert that there’s no such thing as an accident.

I don’t know what my friend Phil did in his final moments behind the wheel. He was headed into a familiar turn on a road he’d driven hundreds of times. Did he feel suddenly light-headed? Did he see an animal in the road? Did the vehicle malfunction? Was he distracted by the radio or the phone? Was he just anxious to get there? I don’t know, and since he took nobody with him, it doesn’t really matter. But I can virtually assure you that Phil didn’t intend to die on the way to one of his favorite weekend destinations. In anybody’s book, that’s an accident.

Lawmakers miss the point of Assembly Bill 228

Lawmakers considering Assembly Bill 228 were so intent this week on shielding consumers from the uncomfortable realities of the credit market, they were blind to a technology that’s helping people rebuild their credit histories.

For almost a decade, Nevadans have willingly entered into auto loan agreements requiring them to install an on-board device that remotely disables the car if they fail to pay. Ultimately, if lender and borrower reach no resolution, the car can be located via GPS and repossessed. AB 228 was brought by the Payment Assurance Technology Association, which says it wants to incorporate the industry’s best practices into the law. PATA represents several manufacturers of the starter interrupt devices, and lenders who use them.

The devices have proven useful even before the repo man gets involved. Lenders say the delinquency rate on car loans drops to 5 percent among borrowers who get an electronic signal reminding them to pay after a ten-day lapse. The rate is 27 percent among the same class of borrowers without the devices, according to the PATA. Repossessions drop from 15 percent to 4 percent with a starter interrupt device.

Is this the most desirable credit arrangement? Only if you’re cool relinquishing some of your privacy and paying interest rates that push 30 percent. But for many subprime borrowers, it’s the only way to get a car.

Even a privacy hawk recognizes “intelligent tradeoffs,” a phrase used recently by legal scholar Richard Epstein to discuss the balance between privacy and national security. Car buyers with a credit score of 680 or lower are in a position to make an intelligent tradeoff, and put themselves in the driver’s seat.

The Assembly Commerce and Labor committee was predictably unconcerned with privacy, but visibly distressed by a bundle of secondary issues, including the interest rate – the absence of a Nevada usury law was lamented – and customer demographics (percentage of minorities and women, that is). Do the lenders jump to repossess before they’ve made a reasonable attempt to collect? Who holds the finance company accountable for collection and repossession practices? Is the electronic device a means to bully the slow payers?

The answers can be found in the market. Starter interrupt devices are already widely deployed across Nevada and the 49 other states. The customer profile is obvious, and it’s built on credit history, not race or gender. Yes, a tarnished credit record costs you money. Lots of money, regrettably. No, lenders aren’t running madly through the streets smacking their lips as they seize devalued assets to haul away and list on their balance sheets. They prefer granting extra time or coming up with an alternative payment plan, if only a borrower with a problem would contact them.

The starter interrupt device encourages communication between lender and buyer, with positive results for both, according to PATA. It’s a fact that fell on the deaf ears of lawmakers who called for usury laws on behalf of single mothers plagued by high interest rates.

Where do single mothers turn when they lack money for life’s necessities? To extend the stereotype, which has become the last refuge of politicians making dubious arguments, women have been known to turn to men for money, leading to arrangements that sometimes prove more costly than a bad car loan. PATA says the starter interrupt device keeps interest rates lower than they might otherwise be, and it makes some loans possible, period.

The market has validated this particular intelligent tradeoff.  Time to unclasp those wringing hands, and use them instead to applaud an industry that’s come forward to promote best practices.

Nevadans seek state-mandated election audits

You’ll seldom hear a more vigorous defense of a state-run information system than the one mounted by election officials when voters challenge the legitimacy of an election. So it was earlier this week in the Nevada Assembly committee that vets election bills, where a group called the Citizen Task Force for Voters Rights showed up to promote AB209.

The bill would require the counties to establish an audit trail for each process involved in conducting an election. Voter registrars from across the state stepped up to protest the cost of implementing the measure, and to reassure lawmakers that their current practices are solid. Clark County’s Joe Gloria, as designated spokesman for his colleagues, touted their performance, noting that Nevada has received national recognition for election integrity.

The problem, says the task force, is that election departments are their own auditors. They investigate any reported irregularities, and not surprisingly, they find no fault in their own system. This wouldn’t fly for casinos or banks, and the task force wants Nevada’s elections subjected to external audits by fraud examiners, same as other high-stakes sectors.

Citizen Task Force for Voters Rights started as a group of voters seeking answers after a phantom candidate took 22.18 percent of the votes in a 2014 Republican primary contest. A man named Mike Monroe had captured 5,392 votes in Congressional District 4 without conducting a campaign. He had no financial backers, and never made appearances or walked neighborhoods. Their search for Monroe turned up no registered voter who knew him or voted for him. His supposed address was a vacant building.

Monroe’s voter turnout was all the more astonishing because his two opponents, then-state legislator Crescent Hardy and Las Vegas activist Niger Innis, conducted energetic campaigns and generated significant press coverage. Typically, anemic candidates facing better-known names would capture between 2 and 7 percent, according to task force research.

Since that election, task force members say they’ve devoted hundreds of hours to investigating election procedures in the counties encompassed by CD 4. They’ve reviewed materials, interviewed people who’ve worked at the polls, and researched the ways elections can be compromised.

They’ve compiled a list of election system vulnerabilities starting with the absence of audit trails and chain of custody records. Add weak voting machine security, training deficiencies, insufficient background checks, and undisciplined transportation procedures. The list also includes “failure to create a security culture.”

Some of the task force claims have years’ worth of anecdotal support from observers and polling place workers.

Election managers are passionate about their work, and nobody suggests they don’t take their task seriously. In the days since the AB209 hearing, two election officials have offered informal assessments of Nevada’s election system security. One described it as “bulletproof” and the other supports the assertion that it’s impervious to criminal interference.

To a reporter who’s covered voting security issues for more than a decade, they seem to be in denial. It was somewhat understandable in 2004, when electronic information management was still evolving. In 2015, they appear willfully blind to reality. No system is bulletproof. Sony wasn’t bulletproof. Athem Blue Cross, J.P. Morgan, and the U.S. Defense Department were not bulletproof. All of those entities spend millions more on security than budget-constrained Nevada election departments.

Consider also our reliance on minimally-trained election day volunteers, and the central role of the much-maligned Seqouia voting machines. It’s unnerving, even insulting, to expect intelligent taxpayers to believe that nothing can possibly go wrong.

Some lawmakers on the Assembly committee mirror the official demeanor, making it clear they favor blind reliance on the system over weighing thoughtful criticism from skeptical voters. Those legislators also reflect the tendency of election managers to blame questionable occurrences on the voters.

“Weird things happen (in primary elections),” said one Assemblyman, adding that primary voters are inclined to cast irrational votes.

The Citizen Task Force may struggle to get a second hearing.

Why Hillary’s State Department email and the Clark County School District email should have similar protection

Hillarymail, Part I: The data path to government computer networks should be secure

Nevadans should take special note of the revelations about Former Secretary of State Hillary Clinton’s email account, which she reportedly managed from a server in her New York home while she was serving in the Obama Administration.

Mrs. Clinton is being criticized for three reasons, including her astonishing presumption that rules don’t apply to her. The other two reasons are pertinent to Nevada’s own unsettled questions about the difference between email content created by public employees, which should be part of the public record, and email addresses assigned to public employees, which should not.

The content of Hillary Clinton’s State Department email, in its entirety, should belong to the taxpayers. And it would, if she played by the rules. As it stands, we’ll never know if we’ve seen the complete archive. Her email address, on the other hand, should belong to the United States Federal Government on behalf of the taxpayers. And it would, if she played by the rules. Hillary’s email address should have existed behind a layered, military-grade security protocol. Would it be safe there from hostile activity? We can only hope, but that’s the intention.

Why does this distinction seem obvious in the face of national security implications, but not when the security of Nevada school children and their teachers is implicated?

The Clark County School District made the right call, with no apparent understanding of how right it was, when it denied public records requests for teacher email addresses. The district said that sharing the addresses with the Nevada Policy Research Institute (and other requesters) would cause “countless businesses and organizations to continuously solicit district teachers through their work email.” In other words, the district thought making the email addresses public would create a nuisance.

NPRI then sued for the email database. The district’s motion to dismiss the complaint didn’t go far enough, nor was it sufficiently precise in claiming that broad use of teacher emails by outsiders would “frustrate” the purpose of the district’s communications network.

“Teachers would be forced to spend time sorting through phishing scams, computer viruses, and other unsolicited spam email,” the district asserted, if “organizations like (NPRI), as well as internet marketing companies, hackers and anyone else who may benefit from thousands of active email accounts…” were given access.  The additional traffic would “clog the servers and the computer systems, harming the public in the process.”

The harm envisioned by the district was inconvenience and misspent time due to commercial targeting of teachers. District officials apparently did not grasp the potential for malicious penetration causing catastrophic system failure. Neither did it link “phishing scams” and “hackers” with harm to student privacy. We’ve since learned from a separate conflict over academic standards that Nevada’s school districts are creating extensive student dossiers containing hundreds of personal, non-academic data points. What potential harms might come from an incursion into those information troves?

Email addresses are a data path, leading first to people, then to systems. Hostile nations might have used Hillary Clinton’s data path to glean State Department secrets. The math teacher’s data path could offer access to a valuable bundle of assets held by the nation’s fifth largest school district. Criminals could find payroll records, stalk students, or blackmail parents and administrators. The threats to these systems are utterly analogous.

There is compelling state interest in protecting government information systems at all levels. There’s no outcry in Nevada suggesting that school teachers are unreachable by the people who need to reach them. Tight system security does not constitute lack of transparency. We’ll soon see if the Supreme Court of Nevada agrees.

Hillarymail, Part II: Content is public record

The primary relevance of “HDR at Clintonemail dot com,” aside from its eloquent expression of presumed privilege, is its deviation from national security standards. Any omissions from the public archive can be corrected with the efforts of a diligent press, or a congressional investigation, or a special prosecutor if it comes to that.

The great (and not-so-great) thing about email is that it multiplies like bunnies. Anyone who destroys official email will live to regret it. Somebody, somewhere, will have the means, motive, and opportunity to resurrect regrettable messages.

State Department email messages, school district email messages, and all other email messages on taxpayer-funded systems are public records, and should be turned over to the public, period.

Hillarymail, Part III: Privacy and the infuriating double standard

Of all people who should realize that public life brings a diminished expectation of privacy, you’d think Hillary Clinton would top the list. Time will tell if it’s Hillary who will validate the infamous utterance of Google Chief Eric Schmidt: “If you have something you don’t want anyone to know, maybe you shouldn’t be doing it.”

Hillarymail, whether a scandal or a screw-up, is a vivid reminder that Washington’s top tier has a double standard when it comes to privacy. They want theirs, but they’re willing and eager to be part of the data-sucking machine that robs you of yours.

It’s also a great chance for the taxpayers to demand that our privacy, not theirs, should be paramount. On that front, the silence so far is deafening.

Nevada Legislature needs a moratorium on data collection

It’s hard not to seem like a luddite, a naysayer, or a nut while assessing the new and expanded uses of technology proposed in the Nevada legislature.

And what a shame to feel uneasy, not appreciative for a proposed DMV database that would help police locate family members quickly when someone is rushed to the hospital after an accident.

County coroners and the Department of Public Safety are supporting a bill to create an emergency contact registry. It would save money and man hours when they’re looking for next of kin. Who wouldn’t jump on board? Why apply the brakes to a plan that could help loved ones arrive in time to make critical medical decisions, or spare them agonizing hours wondering what’s happened to someone who’s unconscious or dead?

But privacy advocates identified holes in the provision of SB3 that describes the management of this personal data. They asked for tighter guidelines.

What could go wrong with this database? Maybe nothing. Depends on who’s minding the data, and how.

But suppose a criminal gets access, and calls next-of-kin to report a fake accident. He prods panicky relatives for personal information to get proper emergency care for the “victim” — insurance policy numbers, physician’s name, and prescription drug information. Family members comply, desperate to help. This is not far-fetched. Similar schemes are rampant, and profitable.

Take comfort in knowing the registry would be optional. Nevadans who love the idea more than they fear a security breach would opt in.

Carson City is awash in bills conceived to make life safer or more convenient by collecting more personal information, or by inducing Nevadans to engage with the state’s information systems. Many have useful goals, but also provide fertile ground for unintended consequences.

In another example, an election procedures bill would allow election departments to send sample ballots by email to voters who opt in. Voter registrars say it will save money mailing paper ballots, and political activists believe it will stimulate civic involvement.

Proponents submitted a “privacy amendment” that puts the burden on voters to submit written requests to keep their email addresses private. Rather than provide privacy by default, the state will require voters who opt in for email ballots to subsequently opt out of a public listing.

What could go wrong? Depends on the sophistication of the data custodians, the technical rigor of their system, and the savvy of the citizens.

Confoundingly, while making some airy statements that raise questions about current security on the Clark County election website, Voter Registrar Joe Gloria also testified that sample ballots are available online. So why not encourage voters to download an electronic version, rather than solicit email addresses?

All of this should give pause to lawmakers. Their confidence should be conditional on absolute clarity by the data collector. And every goal should be accomplished in the least intrusive manner.

But some members of the elections committee gushed over the sheer gee-whiz-we’re-digital factor. Others were no doubt persuaded by the cost savings. Clark County alone would save $1,670 for every thousand voters who choose email over paper mailing.

If you believe your state-sponsored data custodians have privacy and security locked down, recall that we recently saw the inadvertent exposure of social security numbers belonging to 114 retired judges by an entity with fiduciary responsibility. PERS, the Public Employee Retirement System, emailed a spreadsheet with unencrypted social security numbers in response to a public information request. The breach was reported by the recipient, the Nevada Policy Research Institute, which had sought the data for a study of pensions.

It’s a stunning mistake. Although no names accompanied the data, and the recipient behaved responsibly, things might have been worse. Identities can be reverse engineered using a couple of the other data points that appeared on the spreadsheet.

In 2015, government and the private sector are both lagging in their grasp of how to protect privacy and security. There’s even less awareness of where potential danger might lie.

“Because we can” is not a good reason to expand data gathering by the state. Nevada might benefit from a two-year moratorium on such initiatives while public understanding catches up with technology.

Privacy Potpourri: Homeland Security inserts itself into local sex trade, and more

Privacy headlines popped in January like champagne corks on New Year’s Eve. Here are a few highlights, starting in Reno, where nine hapless SOBs were snagged by a law enforcement team including agents of the U.S. Department of Homeland Security, for attempting to purchase unspecified sexual services on the street.

Recall that the mission of Homeland Security was supposed to be preventing actual breaches of homeland security. The DHS website gives only the barest hint of the mission creep that has it preventing transactional sex between Reno street hookers and their prospective customers.

Here’s the department’s “vital mission.”

“…to secure the nation from the many threats we face. This requires the dedication of more than 240,000 employees in jobs that range from aviation and border security to emergency response, from cybersecurity analyst to chemical facility inspector. Our duties are wide-ranging, but our goal is clear – keeping America safe.”

The Sparks Crime Suppression Team, apparently finding no crime to suppress in its own city, was on hand to help Reno PD and the feds with the six-hour sting, as were workers from the Washoe County Health Department, who performed mandatory HIV tests. Florence Nightingale must be smiling in heaven.

The first weeks of 2015 also revealed that at least 50 American law enforcement agencies have been secretly using a hand-held radar device to perform surveillance of human activity inside of homes, despite a U.S. Supreme Court ruling requiring a warrant for similar searches that rely on thermal readers to detect heat behind the walls of buildings.

The radar devices were designed for military use, to spot human presence inside buildings by detecting movements as subtle as breathing, reports USA Today.

The 10th Circuit Court of Appeals upheld a search by U.S. Marshals using the device, but noted that it raises “many questions.”

Speaking of invasive technology with ostensibly benign intentions, the National Science Foundation is paying a professor $50,000 to develop a facial recognition app that monitors student attendance at college lectures. The developer teaches at Missouri University of Science and Technology. He uses his smart phone to take a video of students in the lecture hall. His finished product will automatically take attendance by applying a facial recognition algorithm to the video.

The rationale for this NSF investment is that attendance is the best predictor of graduation rates, and that students who don’t graduate are less able to pay off their student loan debt. No word on the controlling classroom policy when an adult student declines to have his image captured on his prof’s phone.

The private sector has a solution, too. The Class120 app costs $199. Installed on the student’s own smartphone, it overlays geolocation data with campus maps, notifying parents if the phone is not in the right classroom at the right time of day. Nothing wrong with that, if the parents and the students agree on it. But here’s the kicker from the Wall Street Journal:

“As online interactions have grown, schools have realized they have a trove of new data to look at, such as how much a student is accessing the syllabus, taking part in online discussions with classmates and reading assigned material. Such technology “shows faculty exactly where students are interacting outside as well inside the classroom…”

Then there’s the insurance company that promised a discount to drivers who allow it to digitally monitor driving habits. Progressive Insurance has distributed two million dongles that port into the OBD (on-board diganostics) console, which is the electronic communication center for the moving components of the car. The dongle monitors brakes, acceleration and other readings, including mileage and time of day, creating a record of the driver’s vehicle usage.

Seems that a skilled hacker can use the the dongle to get into the vehicle’s core systems, according to a Forbes interview with security researcher Corey Thuen, who discovered that he could unlock doors and gather information about his truck’s engine by hooking up his laptop to the dongle. Says Theun:

“It (the dongle) has no secure boot mechanism, no cellular communications authentication, and uses no secure communications protocols, possibly putting the lives of people inside the vehicle in danger.”

Safety implications aside, the driver information itself is vulnerable. It would be a piece of cake to intercept the dongle’s transmissions to Progressive, and to steal, erase, or alter the data, with potentially serious and possibly irrevocable consequences for the driver.  Happy New Year!

.