Friday, January 18, 2013
Private companies don't need a warrant to spy on your emails and notify authorities.
It started with an email. A message last January from Robert Branson to a Yahoo account.
But an AOL software program flagged a photo he attached as child pornography, and the 46-year-old Chesapeake resident found himself under investigation by police.
Almost a year later, Branson - who faces up to 160 years in prison when he is sentenced later this year - has learned what more and more purveyors of child porn are discovering every year: Email isn't private.
"When it comes to email, you have no reasonable expectation of privacy," said Deputy Public Defender A. Robinson Winn, Branson's attorney.
Thanks to the help of some of the world's largest Internet companies, police and federal agents have pursued and prosecuted thousands of child pornography cases across the country, experts said.
Officials with the National Center for Missing and Exploited Children say they have received 1.7 million tips about child porn since 1998. And while some of those tips were made by concerned citizens who find child porn online, the executive director of the center's Exploited Child Division credits many of them to companies scanning their users' emails, cloud drives and social network sites.
"That is one of the biggest things that is happening," said John Shehan, whose organization was established in 1984 by Congress to serve as a clearinghouse for information about missing children and child pornography. He said the center received more than 400,000 tips in 2012, up from about 326,000 the year before.
Shehan explained that companies such as AOL, Google, Yahoo, Microsoft and Facebook have been legally obligated since 1998 to contact his organization when they find child porn on their network. In the beginning, that meant companies simply alerted the center when one of their customers told them about child porn. Over the past several years, however, many of the companies started using software to actively scour their networks.
"There is a lot of great information coming from these companies... just about everything law enforcement needs to start an investigation," Shehan said. "The apparent child pornography that was sent, the email address they used and the IP address they used."
Privacy advocates are worried about the technology and how Internet companies and the government might choose to use it in the future.
The scans are legal because no governmental entity is asking the companies to look at their customers' emails, said Brian J. Gottstein, a spokesman for Virginia Attorney General Ken Cuccinelli.
"These are private companies acting independently of law enforcement to ensure that their private servers are not used to store or traffic contraband," he said. "It is analogous to FedEx or UPS reporting a package they suspect of containing narcotics to authorities."
Julian Sanchez, a research fellow at the Cato Institute, a libertarian think tank based in Washington, said the Electronic Communications Privacy Act is designed to keep companies from releasing their users' private emails. The federal law, however, has an exemption involving child porn and the center. Other instances where companies can release information contained in their customer's private emails: if the communication involves a possible life-threatening emergency or if it involves a crime the company "inadvertently" learned about in the course of its business.
Shehan stressed that no one at the companies is "opening emails and looking inside." It's all automated, he said.
Each company has its own method for scanning its users' emails and online storage drives. But their software programs identify child porn the same way, experts said. The programs analyze a user's photos and videos, assign each image a specific value or digital signature and then compare that signature against a database of known child porn images.
The center's database of digital signatures includes about 18,000 images and videos. Shehan added that some companies have expanded the database to include more photos.
Samantha Doerr, a spokesman for Microsoft's Digital Crimes Unit, said the images in the database are the "worst of the worst." She explained the photos have been verified by law enforcement as child porn.
"These are real crime scene photos," she said.
The database represents just a small fraction of the 80 million photos and videos the center has identified as child porn, but Shehan said "these are the exact types of images law enforcement wants to know about and wants to investigate."