"Child Abuse" is one of the Four Horsemen of the Infocalypse regularly invoked as a justification for ever more Government snooping and censorship of the internet, even though these problems have existed for thousands of years before the internet was invented.
Nevertheless, it is true that some, but not all, of the people obsessed with "child porn" images, collected, or swapped via the internet, are actual baby rapers of the most disgusting variety.
Last week in Scotland, the Operation Algebra case resulted in the conviction of a couple of such evil men, and 6 other of their child porn swapping / collecting associates
The mainstream media has reports about the shocking rapes and abuse, not just of children but of infant babies by the chief perpetrators David Rennie and Neil Strachan, who are being considered for "whole life custody" prison sentences.
Edinburgh based journalist Mike Wade, has published, on his Wades world blog, a fuller version of his article Paedophile gang preyed on children of close friends published in The Times, Friday 8 May, 2009, which includes some of the more interesting technical details of the investigation, which have been edited out.
See Wade's world: The men who preyed on their friends' kids
However, from a computer security, privacy and civil liberties viewpoint, the case has several points of interest.
- No use of Encryption ?
- Mobile Phone videos
- Communications Traffic Data
- Mutual Legal Assistance avoids RIPA ban on email intercept evidence ?
- Tracking down a target computer abusing open WiFi connections
- Digital Photo and Camera Forensics
No use of Encryption ?
But it might never have succeeded had it not been for a single act of forgetfulness by one of the criminal gang. Neil Strachan, the only man among the eight convicted who had previous convictions for sexual assault, worked at the Crown Decorator Centre in Newhaven, Edinburgh. Part of his job was to mix paints on a colour-mixing machine, a computerised system on which he chose to conceal on a portable hard drive .
When his computer broke down, Strachan made his mistake, carelessly delivering it, images and all, into a depot at Haltwhistle in Northumberland. operated by Akzo Nobel, the owners of Crown Paints.
Crown Paints, with headquarters in in Darwen, just south of Blackburn, Lancashire, completed its management buyout from the multinational Akzo Nobel N.V chemicals corporation during the investigation in 2008.
This all implies that Strachan was not using file or whole disk encryption.
Mobile Phone videos
For more than a year he assaulted the baby - referred to a Child F throughout the trial - broadcasting one attack over a mobile telephone to Milligan.
Was this evidence discovered on either Rennie or Milligan's mobile phone handsets ?
Or was the event captured on one of the video files which were seized ?
He invited his paedophile friends to join him in the abuse and published pictures of the attacks in emails to other offenders at on-line galleries he opened at the Photoisland and Photobucket websites.
Photobucket, with with millions of innocent userso is based in the United States of America.
PhotoIsland.com, also formerly based in the USA, now seems to be defunct.
It would be utter overkill to try to censor these sorts of website via the planned "Great Firewall of Europe" or the UK's secretive Internet Watch Foundation blacklist.
Communications Traffic Data
Rennie's identity was revealed only after DI's Hood's team had invoked the International Mutual Assistance Treaty, which enabled Scottish investigators to request assistance from their American counterparts. An intervention by the FBI enabled the Edinburgh detectives to place a "preservation order " effectively freezing all the contacts, chatlogs and emails recorded on kplover's email account at the Microsoft offices in San Jose. That one action has since enabled police forces to follow up 70 leads around Britain, half of which have led to arrests, and already some convictions. It also exposed a sinister link between Rennie and Matthew Grasso, a notorious sex offender in Salem Massachusetts, USA, who was indicted in 2007 for having 150,000 images of child abuse in his home. Rennie had further connections to 300 child abusers in United States, Australia, Germany, Holland and Poland.
This shows that Data Preservation limited to a specific investigation, is all that is required, not the stupid and intrusive UK / EU Data Retention of millions of innocent people's communications data traffic.
It also shows that simply moving illegal (or legal but simply private) electronic communications to a US based company or service, is not enough to avoid the reach of the UK authorities.
It also shows that presumably MSN instant messaging is logged centrally by Microsoft, who also obviously cooperate with the authorities for access to Hotmail email accounts.
Mutual Legal Assistance from the USA avoids RIPA ban on email intercept evidence ?
For some reason, this sort of access to a foreign based email provide accounts, via a Mutual Legal Assistance treaty request, does not seem to count as "email interception" under the Regulation of Investigatory Powers Act 2000, requiring a warrant signed by the Home Secretary, and seems to be a loophole around the ban on intercept evidence, either for the prosecution or the defence, in a UK court.
Tracking down a target computer abusing open WiFi connections
In late 2007, detectives were closing in on kplover, and would eventually track him down. But Rennie was sly. From his home computer, he moonlighted on insecure broadband accounts held in nearby houses, so when police believed they had finally traced his computer's address, they arrived instead at the homes of two of Rennie's innocent neighbours, who lived streets away from his home.
Further information from San Jose proved crucial in his arrest. This demonstrated that the kplover account had been used on a handful of occasions by someone who had access to the LGBT Youth premises in Edinburgh.
Provided that the Police did not request too much data about innocent people, this is a looks to be a legitimate use of Communications Traffic Data by the investigators.
Police then consulted Damian Newrick, a specialist in radio transmission with the Child Exploitation and Online Protection Centre in London. His expertise revealed that Rennie's home address at Marionville Road would enable him to hotspot onto the insecure wireless networks which were nearby. Police now had two locations for the kplover account, united by a single criminal. Rennie was arrested on 17 December 2007.
Jim Gamble, the head of the Child Exploitation and Online Protection Centre, is notorious for lobbying for the waiving of the fees charged to the Police etc. for Communication Traffic Data requests by the ISPs and Telcos.
See The Register - ISPs slam CEOP bid to rewrite RIPA.
If he, and other Policeman were not constrained somewhat by financial budgets and audit trails, then they would undoubtedly be snooping on and data trawling through vast amounts of innocent people's data, since the RIPA Commissioners provide no effective check on the vast growth in the number of such requests.
The Police already "have form" for doing exactly that, due to technological inexperience and the arrogance of power, in the early days of such internet requests, when they were not charged for, before the setting up of experienced ad trained Single Points of Contact with the ISPs and Telcos, after the Regulation of Investigatory Powers Act 2000 (RIPA) came into force.
The example of open WiFi tracking in this case is interesting.
Previous cases have tried, with little success, to use the fact that an open Wi-Fi internet connection is available, to try to cast reasonable doubt on exactly who is alleged to have downloaded child porn or to have sent a threat, or to have hacked in to some other computer, using the IP address allocated to the broadband internet router / WiFi access point.
This case obviously shows that this "it must have been done by someone else it via WiFi" scenario, can actually happen in real life.
It should be the duty of the Police to find corroborating evidence (which, to their credit, they did in this case), before raiding an innocent person's home or business, simply on the weak evidence of an IP address, as they have done in cases involving Indymedia,and ,it seems of a former Tor Exit Node operator.
See the previous Spy Blog articles and comments:
- Serious Crime Act 2007 used to harass Indymedia server colocation administrator - updated.
- Passion and Dalliance blog: Why you need balls of steel to operate a Tor exit node.
The BBC and The Guardian reports which mentioned broadband WiFi were misleading - they gave the impression that radio location equipment is somehow needed to track down the location of a broadband internet router physically connected to a landline telephone. All that is needed is a Communication Data request to the ISP (which may yield a Customer address directly), and failing that, details of which telephone line is connected to the ADSL DSLAM in the local telephone exchange, which will also yield a physical address for that telephone from British Telecom or from a cable TV/Phone/Internet operator..
Another was the use of sophisticated radio equipment to track down broadband wi-fi signals in the Meadowbank area of Edinburgh.
Sophisticated tracking equipment then located Rennie's broadband Wi-Fi signals in the Meadowbank area of Edinburgh.
However these reports are less alarming than the Daily Record's unsubstantiated claim that:
May 8 2009 By Gordon McIlwraith
POLICE called in MI5 to track down Scotland's sickest paedophile gang.
As eight child sex perverts last night faced lengthy sentences, the spooks' role in their capture emerged.
A secret agent used specialist electronic equipment to identify a mystery man exchanging "sinister" emails with convicted child sex beast Neil Strachan.
And he was able to track the signal to the home of shamed gay rights campaigner James Rennie, who used the online alias "kplover".
What possible interest would the Security Service MI5 have in a child porn and rape case ?
What exactly was the National Security aspect ?
Spy Blog does not believe that MI5 was involved in this open WiFI connection tracking.
Tracking down a laptop computer accessing open WiFi access points / broadband routers around is not that difficult a radio location task - a laptop computer running passive WiFi sniffing software such as Kismet , a high gain directional WiFi antenna, and a street map, or , optionally a GPS navigational receiver is all that is required. A phased array WiFi smart antenna would make such tracking almost trivial.
Back to the Wade's world report:
In the weeks after Christmas two more arrests followed, as police follow up leads from the kplover internet account and Rennie's mobile phone. These conspirators were Ross Webber, 27, a bank clerk from North Berwick, 25 miles east of Edinburgh, and Craig Boath, a slovenly 24-year-old insurance worker from Dundee.
Presumably this meant more use of Communications Traffic Data,.
Were any of these emails and phone calls actively intercepted, though ?
Digital Photo and Camera Forensics
Shortly after New Year, Strachan sent Rennie a photograph which became known in court as "the Hogmanay image". It showed a man assaulting an infant. Though the head of the attacker was not in the frame, Dr Sue Black, a forensic pathologist at Dundee University, identified Strachan through 13 points of similarly on his thumb, which was visible in the photograph.
Sue Black is Professor of Anatomy and Forensic Anthropology at the University of Dundee.
Further expert evidence was called in to convict Strachan, who continued to deny all charges against him. Professor Hany Farid of Dartmouth College, New Hampshire and Dr Miroslav Goljan, of Binghamton University, New York extracted computer data from the images. This established that the Hogmanay image had been taken on a Sony Cybershot. Crucially, the two scientists found that in one of his few "normal" transactions, in which Strachan had sent an image of himself to another worker at his company under his own name, he had used the same Sony camera.
The Daily Herald has a few more details:
Courts in the US granted warrants to obtain records from Microsoft and internet service provider AOL, leading police to the true identities of the owners of numerous internet accounts.
To what extent was AOL the criminals ? Was it AIM instant messaging or AOL broadband access in the UK ? Or were the AOL chatrooms being abused, again ?
During the trial a key piece of evidence emerged: the photograph that became known as the Hogmanay Image, showing Strachan seriously sexually assaulting an 18-month-old toddler.
After months of work by experts the picture was unlocked from encrypted computer files
Did they actually brute force or dictionary attack and crack the encryption password or passphrase, or was it obtained as a result of a confession, or, perhaps, via a secret electronic intercept ?
Was this done in the UK or in the USA ?
and an electronic date stamp showed it had been taken an hour before midnight on December 31, 2005.
See our Hints and Tips for Whistleblowers - Technical Hints and Tips for protecting the anonymity of sources for Whistleblowers, Investigative Journalists, Campaign Activists and Political Bloggers etc - http://ht4w.co.uk article Photo Image Files for links about difital camera image meta data (like the time / date stamp and make of Camera), and techniques which compare different photos statistically,looking for characteristic background noise and defectove pxels etc, which vary between individual cameras.
First, police took steps to prove the camera used to take the image was owned by Strachan. Detectives contacted Dr Hany Farid, of Dartmouth College in Massachusetts, who is a leading expert in digital forensics.
Dr Farid has aided the CIA and FBI with evidence on computer-based crimes but this is the first time such evidence has been used in a British court. The professor was asked to analyse four digital camera images: the Hogmanay Image and three others known to have been taken by Strachan on a Sony Cybershot camera.
Dr Farid was able to show to the court that it was "highly likely" the four pictures came from the same camera, indicating the equipment was owned by Strachan.
Professor Hany Farid is at the Image Science Group, Department of Computer Science, Dartmouth College.Massachusetts, USA.
The Borders and Lotrhian Police - Statement following conclusion of Operation Algebra trial mentions another US academic expert:
The Force also received invaluable assistance from LGBT Youth, who co-operated from an early stage; Microsoft , who helped trace email addresses and identities, Prof Sue Black of Dundee University - a world acclaimed forensic anthropologist, and US academics - Prof Hany Farid, University of Dartmouth, and Prof Miroslaw Goljan, University of Binghamton, who are leaders in Stegananlysis - a forensic technique which links an image with the camera on which is had been taken.
At least the Police use these academics' titles of Professor rather than just Dr. as the mainstream media seem to.
Stegananlysis - "is the art and science of detecting messages hidden using steganography; this is analogous to cryptanalysis applied to cryptography."
Professor Miroslaw Goljan, seems to be a researcher at State University of New York at Binghamton, which benefits from the nearby computer giant IBM research facilities.
Did the Police suspect that these criminals were actually using steganography to hide messages or child porn images within other, innocent looking digital images ?
Or were these digital image experts just concentrating on establishing the links between porn abuse images and the identifiable photos of Strachan etc ?