Child pornography Web sites: techniques used to evade law enforcement.
First, child pornography Web sites often are so complex that efforts to identify the administrators become tedious and time consuming. Frequently, by the time investigators have taken the appropriate legal steps to track administrators, the suspect sites have moved from one place to another on the Internet. (3) Such movement hinders law enforcement efforts because locating Web sites a second time in the vast, virtual world of the Internet proves difficult. And, if they can locate it again, the legal process usually must start over.
Second, Web site administrators use methods to make their sites appear as though they are hosted overseas when, in fact, they are not. This technique often results in investigators ignoring these sites and searching for others they more easily can locate in their own country.
Finally, the manner in which people pay for child pornography Web site memberships often involves stolen credit cards, identity theft, and online financial transactions. Tracking these payment methods involves complex paper trails, spin-off investigations, and tedious legal processes that bog down and divert investigators' attention from the primary focus of the child pornography investigation. Armed with information about the technology and various techniques that child pornography Web site administrators use, investigators can better prepare to combat this international problem that targets the most precious and defenseless victims--children.
Each Internet user and Web site is identified by an Internet protocol (IP) address, such as 126.96.36.199, which is one of the IP addresses for the FBI's Web site. (4) Readable text, or a domain name, often is displayed in lieu of this string of numbers for convenience and ease of Internet users. Since the beginning of cybercrime, law enforcement agencies have relied on this unique identifier to locate, and eventually prosecute, cybercriminals.
Clever pornographers, as well as anyone else wishing to conceal their online identity, use proxy servers to mask their true IP address on the Internet. A proxy server allows one computer on the Internet to act for another one or, in some cases, many others. Essentially, the proxy server shares its identifying IP address and allows other users to access the Internet through it. Therefore, any online act committed by someone using a proxy server appears as though the proxy server executed it. For investigators, this merely adds another step, usually in the form of an additional legal process, to obtain the true IP address of the end user. Whether investigators even can acquire it depends on if the proxy server keeps accurate logging information and if the proxy server's host will make the address available.
Online users who do not want anyone to trace them use an anonymous proxy server. Similarly, the proxy masks the IP address of potential offenders; however, no logs or other identifying information are kept. Therefore, they will not assist law enforcement agencies in determining the true identity of the original user.
Anonymous proxy servers are easy to use, and many are free, requiring no registration or identifying information from the end user. Also, many are located in other countries. While a typical proxy server may be available one day and offline the next, Web site administrators easily can locate another one to use.
Like all Web sites, child pornography sites must be hosted somewhere for Internet users to access. Thousands of hosting providers exist, all offering space on the Internet and a myriad of other online and offline services. Most charge a fee based upon the amount of disk space used to host the Web site and the amount of traffic to that site.
Several online tools can determine a particular Web site's hosting provider, which, once located, can furnish valuable information regarding who registered it, who pays the monthly bill, and, often, the IP address they use to do so. Usually, law enforcement agencies must take legal action to obtain this information. A child pornographer who wants to remain anonymous may use a proxy server anytime they communicate online with the hosting provider. To avoid a money trail for law enforcement investigators to trace, free hosting providers often are used because they are relatively easy to find. Offering no-frills hosting, many of these providers make their revenue by placing advertisements on their customers' Web sites. Without accurate customer or IP address information, they provide little use to law enforcement with or without legal process.
Web Site Strategy
Like other for-profit Web sites, child pornography sites must advertise to prospective customers to stay in business. These advertisements benefit law enforcement because they are accessible to people searching the Internet for child pornography. Online pornography businesses usually separate the advertise-and-join Web site from the members area. The first one often contains a preview of what prospective members can expect to receive if they agree to pay a subscription fee, and it includes a hyperlink to use to obtain membership. In the members area, Web site administrators place content available to paying members. This location is not disclosed until after a person purchases a membership. While this strategy of separating the two Web sites helps prevent hackers from accessing members-only material without paying, it also deceives law enforcement regarding the actual location of the illegal content.
Child pornographers can create multiple advertise-and-join Web sites using free hosting providers outside the United States. The actual location of the illegal content will become apparent only after purchasing a membership. Because law enforcement agencies often are reluctant to make a covert purchase of a membership or access to a child pornography Web site apparently in another country, much illegal child pornography located in the United States evades investigation. By employing a strategy of separating the advertise-and-join Web site from the members area, child pornographers can effectively conceal a great deal of their illegal content from everyone but paying customers.
A Web site's uniform resource locator (URL) is the text typically typed into the top bar of a Web browser that directs a user to a Web site. The URL usually takes the form of access protocol (http), domain name (www.fbi.gov), and a path to a file or Web site on that server (/publications.htm).
URLs may appear straightforward and easy to interpret, but many individuals know that they can use hexadecimal codes, IP addresses, and other text in place of standard-looking domain names to confuse people attempting to track the source of the Web page content. Some tricks include placing misleading text followed by the @ symbol between the access protocol and the domain name. Any text placed prior to this symbol is not used to resolve the true URL. Next, URLs may be written in their corresponding hexadecimal codes (e.g., the letter "A" represents "%61," "B" is "%62" and so forth). The three URLs in the box look surprisingly different, but all point to the same location on the Internet. Using a combination of these and other URL encoding techniques, child pornographers use the Internet's underlying technology to obscure and conceal the actual location of their content.
Redirect services allow individuals to use another URL to access their Web site. The services redirect users to a Web site hosted in a particular country. These sites, however, have the outward appearance of being located in another country, rather than what the domain extension denotes. At this initial stage of exploring URLs, law enforcement agencies often elect to use their investigative resources to find sites obviously hosted within their own jurisdiction to avoid the additional legal hurdles of pursuing an international legal process.
Hypertext markup language, or HTML, is the language of the Internet and most Web sites. People who know this language can exploit it enough to deceive even veteran Internet surfers when locating the source of Web content. Viewing the source HTML behind a suspected Web site may reveal images and other content located at a different URL and physical location, rather than the original Web site itself. HTML code even can be used covertly to redirect users to another URL or location on the Internet without their knowledge.
A Web site typically serves HTML code to a Web browser, resulting in a familiar Web page for each Internet surfer. However, some scripting languages allow different Web pages to be served to different users based upon qualifying factors, such as an IP address. For example, one search engine uses filtering technology to serve a German language version to anyone accessing their Web site from a German IP address. Similarly, pornographers could use this technology to serve different pages to users coming from differing ranges of IP addresses. For example, IP addresses within the United States or those known to be from law enforcement or government sources could receive nonpornographic content.
Anonymous Payment Methods
Law enforcement agencies may prefer the strategy of tracing money when targeting for-profit child pornography enterprises. However, inventive child pornographers use several tools to profit from their ventures. The growth of Internet commerce has resulted in a new industry of online payment processors, which present an ideal solution for many online businesses seeking to collect revenue for a good or service. They collect significant customer data, including name, address, transaction information, and IP address logs. Processors in the United States assist law enforcement efforts worldwide to curb child pornography. But, obtaining records from processors in other countries can become a lengthy procedure. Some online payment processors do not require nor verify identifying information about their customers. They may only request users to choose a name and password to open an account. Many people who seek child pornography provide their credit card numbers and significant identifying information to such Web site operators. Quite often, administrators for these sites intentionally use their customers' credit cards to fund their own operations, such as purchasing another domain name or a location at another Internet hosting provider. This places the child pornography subscriber in the precarious position of not reporting the unauthorized use of their credit card to avoid betraying that they sought child pornography.
While law enforcement agencies more easily can track credit card purchases, credit card fraud presents a unique opportunity for Internet child pornographers. Hackers spend countless hours finding vulnerabilities in online banking software to seize identities of unsuspecting users. People lurking in the right places on the Internet can purchase vast lists of credit card numbers. Then, they use these compromised numbers and identities to pay for child pornography Web site memberships.
Illegal child pornography is one of the fastest growing businesses on the Internet, and online pornographers use numerous tactics to evade law enforcement's efforts to capture them. Attempts to identify administrators of these complex Web sites can prove frustrating for investigators. Advances in technology present even more challenges in shutting down these Web sites in the future. Law enforcement agencies must be aware of the techniques online child pornographers use to further their illegal activities--only with such knowledge will they be able to combat this critical international problem.
(1) Robert Grove and Blaise Zerega, "The Lolita Problem: Illegal Child Pornography is Booming, Thanks to the Internet--and the Unwitting Support of Corporate America," Red Herring, January 2002, 47-53.
(3) Legal processes include search warrants, court-ordered and administrative subpoenas, and various international requests through mutual legal assistance treaties and letters rogatory.
(4) The actual IP address of www.fbi.gov.
Examples of Misleading URLs
|Printer friendly Cite/link Email Feedback|
|Publication:||The FBI Law Enforcement Bulletin|
|Date:||Jul 1, 2007|
|Previous Article:||Missing person.|
|Next Article:||Day Laborer Sites.|