Wednesday, April 14, 2010

"Viewing" as "Possessing"

As I explained in a post I did last year, state and federal courts struggled – at least for a while – with the issue of whether someone who simply viewed child pornography online without downloading it could be prosecuted for possession of child pornography.

The prosecutions in question were usually based on the premise that while the defendant himself did not download images of child pornography, the images he viewed were downloaded to his cache file by his Internet browser. As I noted in another post on this topic, courts tended to find that if the defendant knew his browser was caching the images he was viewing, then he could be found guilty of possessing child pornography; a few courts found that a defendant who didn’t know the browser was caching the images could not be convicted of possessing child pornography because he thought all he was doing was looking at the images (and they didn't equate looking with possessing).

As I explained in the post I did last year, the federal system solved this problem by adding a new child pornography crime to the federal criminal code: the crime of accessing, or viewing, child pornography. As I also noted in that post, the Nevada legislature was then considering a bill that would have added this option to the Nevada code, but I’m not sure if that bill ever passed. Utah has definitely followed the federal government’s lead; the Utah legislature revised that state’s child pornography statute to make it a crime to produce, distribute, possess and “view[] child pornography.” Utah Code § 76-5a-3(1).

As far as I can tell, other states haven’t (yet) done this . . . which brings us to the case this post is about: State v. Mercer, 2010 WL 1222788 (Wisconsin Court of Appeals 2010). The issue in the case was “whether individuals who purposely view digital images of child pornography on the Internet, even though the images are not found in the person's computer hard drive, nonetheless knowingly possess those images in violation of” Wisconsin Statutes § 948.12(1m). State v. Mercer, supra. This is how the case arose:

[Benjamin] Mercer was the human resources director for the city of Fond du Lac, which, in December 2002, installed on its employees' work computers . . . Sergeant Laboratories monitoring software. Mercer did not know about the monitoring software. Every time he logged in to his computer, the software collected information about what he did on his computer. The software tracked general information about computer use: the computer being used, which user was logged into that computer at any particular time, the amount of time the computer was used each day, and the program(s) being used. The city originally used the software to decide which computers to upgrade.

In 2004, the city found out that the software had an alert function which would send an e-mail alert to the city whenever a user typed in an offensive or inappropriate word. The city activated the alert function and used the software's built-in dictionary. Then, if someone typed the keys spelling a word in the dictionary, the software would pick it up as questionable and send an e-mail alert to the city's information systems employees. The e-mail alert included information about which computer was the subject of the alert, the user's identity, the word that was typed, and the program that was being used. The software was capable of alerting on this information because, in addition to the general information mentioned above, the software kept a log of . . . every mouse click or keyboard stroke; if a keyboard stroke, which key was hit; the words in the title bar of the program at the moment of that click or keystroke; and the time that action took place.

After the city started using the alert function, the information systems employees regularly received alerts regarding Mercer's computer use. The alerts suggested a pattern of Mercer surfing the Internet for, among other subjects, possible adult pornographic websites and pornographic websites involving children.

On June 15, 2004, one of the city's information systems employees met with a police officer to review and recreate the content in the software logs for Mercer's computer use. The employee and officer reviewed the logs for Mercer's Internet Explorer use from June 2004 back through part of March 2004. They learned that Mercer had typed words such as `preteens,’ `preteen super models,’ `preteen hardcore,’ `Lolita,’ and `Lolidus’ into the Yahoo!, Google, and MSN search engines and hit the enter key or clicked enter to get search results for those words. Based on the information from the title bar at each click, which was sometimes the actual web address, the information systems employees were able to use Internet Explorer to view the same websites that Mercer visited. The content of those websites included stories about children engaged in sexual acts and images of children in sexual situations. Then they expanded the time period to December 2002 through July 1, 2004, and reviewed what Mercer searched for with search engines like Yahoo!, Google, and MSN from December 2002 to July 1, 2004. They found that on fifty different days Mercer had performed numerous searches for `preteen,’ `lolita,’ and `lolidus,’ among other variations of those words, and clicked on links in the search results.

State v. Mercer, supra. (The opinion explains that “`Lolita’ is a term known for child erotica” and `Lolidus’ is a spelling variation of `lolita.’”)

On October 8, 2007, prosecutors charged Mercer with 14 counts of possessing child pornography in violation of Wisconsin Statutes § 948.12(1m). State v. Mercer, supra. The charges were based on Mercer’s use of his work computer on May 28, 2004. State v. Mercer, supra. The case was tried to a jury, which convicted Mercer on all 14 counts. State v. Mercer, supra.

I’m assuming the prosecution relied on the theory noted above, i.e., that a defendant can be found guilty of “possessing” child pornography if he viewed images online and knew that by doing so he was causing the images to be saved to his cache file. On appeal, Mercer pointed out that his case differed in one material respect from the cache cases:

The evidence against . . . Mercer . . . comes from monitoring software that tracked his Internet browsing; there is no evidence that the contraband was in his computer hard drive. Mercer argues that this difference is significant because he interprets past cases as requiring evidence of an image in his computer hard drive in a place he knew could be accessed later, as well as further evidence that he manipulated the image.

State v. Mercer, supra. In ruling on his argument, the Court of Appeals began by noting that Wisconsin Statutes § 948.12(1m)

states that: `Whoever possesses any . . . photograph, motion picture, videotape, or other recording of a child engaged in sexually explicit conduct under . . . the following circumstances [is guilty of a class D felony]: (a) The person knows that he or she possesses the material.’ . . . . And the [Wisconsin] pattern jury instruction [for this statute] explains `possessed; as when “the defendant knowingly had actual physical control of the recording.’ [Wisconsin Jury Instructions] -Criminal 2146A.

State v. Mercer, supra. Mercer argued that the

lack of hard drive evidence makes all the difference because one cannot possess a digital image that is not in the hard drive. Mercer even has a name for the issue at hand. He characterizes this case as a `pure view’ case. The main issue, therefore, is whether a person can knowingly possess images of child pornography he views while browsing the Internet if there is no evidence that the images viewed were in the computer hard drive.

State v. Mercer, supra. After reviewing prior decisions that analyzed whether viewing that results in the caching of child pornography images constitutes possession of those images, the Court of Appeals explained that its

impression of these cases is that courts are more concerned with how the defendants got to the website showing child pornography, than what the defendants actually did with the images. In all of the cases, the defendant reached out for the images. This fits with the definition of constructive possession: the user could save, print or take some other action to control the images, and the user affirmatively reached out for and obtained the images knowing that the images would be child pornography as shown by the pattern of web browsing. This may occur whether there is cache evidence or not. And that is the main point to be made here.

At oral argument, the State provided the following explanation of how viewing images and web browsing can constitute reaching out for images by describing the difference between `push technology’ and `pull technology.’ In push technology, the receiver does not request the materials. The cyber equivalent is spam. The real world equivalent would be like walking on a route, which you cannot change, that has a newsstand displaying risqué magazines for passersby. As the State explained, people confronted with push technology `are not asking to see it, but it's there to view.’ In contrast, pull technology is where the receiver is asking for the materials. The cyber equivalent is clicking on a button and asking something to come to you. Similarly, the real world equivalent would be like writing to a company and asking it to send you its marketing literature.

This distinction makes sense to us, because in pull technology the user knows what he is looking for and is making a request to obtain that material. So we conclude that an individual knowingly possesses child pornography when he affirmatively pulls up images of child pornography on the Internet and views those images knowing that they contain child pornography. Whether the proof is hard drive evidence or something else, such as the monitoring software here, should not matter because both capture a `videotape’ of the same behavior. And images in either place can be controlled by taking actions like printing or copying the images.

State v. Mercer, supra.

This holding resolved the legal issue Mercer raised, i.e., whether viewing without caching could constitute possession. The Court of Appeals then addressed and rejected the three arguments Mercer made as to why the evidence wasn’t sufficient to convict him of possessing child pornography.

The court first held that based on the testimony of “the software’s co-founder”, the state proved beyond a reasonable doubt that “the images could not have been a pop-up or pop-under.” State v. Mercer, supra. It also rejected his argument that a virus “caused the images to be displayed on his computer.” State v. Mercer, supra. The Court of Appeals rejected this argument because a computer forensics expert testified at trial that “he investigated the viruses on Mercer’s [work] computer and found nothing to suggest that the viruses were related to child pornography or even fully operational.” State v. Mercer, supra. Finally, the court rejected Mercer’s argument that the images did not show “sexually explicit conduct” as required by Wisconsin Statutes § 948.12(1m). State v. Mercer, supra.

The Court of Appeals therefore affirmed his conviction, which presumably means he will begin (if he hasn’t already) serving the sentence imposed on him – 1 year in jail and probation for 8 years.

I’m not sure I buy the Court of Appeals’ finding that viewing without caching constitutes possession . . . but what I really don’t understand is why more states haven’t followed the federal system’s (and Utah’s) lead and simply added the crime of viewing child pornography to their criminal codes. While I’m not sure we need such a crime, having it eliminates the need for courts to parse conduct like that at issue in this case and in the caching cases in order to find that it constitutes “possession.”


PHV said...

"...because one cannot possess a digital image that is not in the hard drive."

Not strictly speaking true. Simple case: Open a file on a network drive using a picture utility, or even Paint. The image is in RAM, not on the computer's hard drive, but you have the ability to save, print, etc. which seems to me proof of being "in possession". If you use a normal browser, then yes, the image will be in the cache, but I see no technical reason why there could not be a specialized browser that does not cache images.

Anonymous said...

AVG Safe Search popped up this warning regarding this blog's RSS feed. As an IT guy, this didn't make sense. Nevertheless, you should investigate it.
"Danger: AVG Active Surf-Shield has detected active threats on this page and has blocked access for your protection"

Anonymous said...

Firefox can be configured this way. If you look at Xerobank's packaged Firefox, it not only implements your idea but also tunnels through a privacy network.

Susan Brenner said...

Thanks for letting me know about the AVG Safe Search warning.

I'm trying to check with Google Blogger to see if they have any ideas.

Anonymous said...

A more detailed warning appeared this time. Unbelievable. As a law professor running a serious blog, you'd have no reason to boobytrap this page.

---- AVG WARNING ------

"The page you are trying to access has been identified as a known exploit, phishing, or social engineering web site and therefore has been blocked for your safety. Without protection, such as that in the AVG Security Toolbar and AVG, your computer is at risk of being compromised, corrupted or having your identity stolen. Please follow one of the suggestions below to continue."

Anonymous said...

Last part of AVG warning...

Name: Potential illegal content

Susan Brenner said...

I can assure you, I haven't booby trapped the page, wouldn't know how to.

I'm at a loss . . . any suggestions as to what I can do about it?

Thanks for letting me know.

Anonymous said...

That's what I'd meant. I didn't think for one second that AVG Safe Search was being accurate. You are a reputable source.

As for suggestions, have Google Blogger check any scripts that get loaded along with your blog. One bittorrent site had problems because they displayed ads and unknown perpetrators injected malicious code into those streams.

You have no ads but google blogger does load in modules that may be compromised.

I highly recommend you contact AVG and ask them for help:

Susan Brenner said...

I've contacted google blogger again and done my best to contact AVG . . . let you know what I hear.

Thanks again.

Anonymous said...

McAffee site advisor thinks your completely ok (both your blog mainpage and the RSS feed). Will keep you posted....

Anonymous said...

Hey Susan,
This is the oddest problem. I did the following and they all came clean (mainpage and RSS):

- McAffee site advisor:
* No problems with either

- Pasted URL into google:
* AVG's Link Scanner found no issue (mainpage) and google couldn't find RSS url.

* No problems with either URL

The only time the warning appears is sometimes when I click "Reload Live Bookmark".

So oddly when AVG checks each google result on my screen, your site comes up clean. BUT when I reload your RSS feed, the warning may appear. WEIRD!!!

Susan Brenner said...

Thank you SO much for running those tests and letting me know the site seems to be clean. I was really worried that something was wrong.

Appreciate the help.

Anonymous said...

I am obviously reading old posts. Just ran across your blog. Great information! A thought about the AVG false positive warning. They are apparently using a blacklist to compare against URL's as they are downloaded. A website that uses an identified XSS (cross site scripting) exploit will get it's URL on this blacklist. For example, an attacker may create a blog or just post a comment on a blog that contains an XSS exploit. When it's identified as such, AVG adds it to the blacklist. A possibility may be that your first commenter, Peter, may have a comment on his own blogpostcom blog that triggered a black listing. It may have been very short lived as the blacklist is constantly tweaked. This is a guess as I don't really know offhand if is susceptible to XSS or CSRF exploits.

Susan Brenner said...


Thanks for the thoughts about the AVG false positive warning . . . very interesting.

I don't know if is susceptible to either type of exploits . . . I emailed their help center when these issues came up, and they said they didn't find anything on the blog . . . for whatever that's worth.