Thursday, October 9, 2008

Browser Hijacking as a Defense in Legal Proceedings

Here is an excerpt from the article at Internet Law:

“Browser hijacking is a real phenomenon, which can become manifest through unwanted pop-ups, new ‘favorites’ that a user cannot delete, a new home page, and other forms of loss of control over one’s computer. At the same time, browser hijacking is not always responsible for the presence of unwanted spy ware and other malware. A common culprit for the transmission of these viruses is the downloading of otherwise innocent material such as games or news from disreputable Websites that infect users’ computers with spy ware and viruses, and that, in certain cases, direct users to illegal or sexually explicit Websites. “

As the article states this has been offered as a defense in cases involving contraband such as child pornography and also in wrongful termination cases involving surfing pornography while on the company computer.

The issue is that while it seems logical and should be apparent that this kind of thing can happen to the most innocent of users, juries have been decidedly less than receptive to this as a defense.

In order to mount this as a defense, it must first be established that a browser hijacker existed and was active at the time the images were downloaded. This can be difficult if the computer was subsequently cleaned up by anti-virus or anti-spy ware software. If the program doing the cleaning kept a log of what was cleaned and when, then clues can be obtained from those logs. Sadly, a lot of these programs do not keep a history of what they did.

The second and most effective challenge to this as a defense is the existence of Typed URLS. A moment to explain: The address that you type into the box at the top of your browser to go to a web site like www.yahoo.com is called a URL or Uniform Resource Locator. In common terms we call this the web site address. In truth it is a human language nickname for the real address of the web site. For instance, if I said I wanted to go see someone, I would say I was going to Bob Smith's home at 110 Cherry Lane. I can understand that and even get there if I know the way. But if I type that address into my GPS it does not see it as 110 Cherry Lane, it sees it as a set of Geographic Positioning Coordinates like, 4.567 , 123.444. The same thing happens when you type www.yahoo.com into your browser address box. The computer sees that as a string of numbers that is the real address of the server providing yahoo.com's web pages to you, such as 206.190.60.37 (The real address for yahoo.com.)

Okay, now that you understand that what you type into the address box is a way for humans to remember web page addresses, (who would want to have to remember 206.190.60.37) it is important that you understand a couple of other things. How does www.yahoo.com become 206.190.60.37?

Out there in the world there are things called DNS servers. DNS stands for Domain Name Service. What the DNS server does is have a big table that matches names with actual addresses, so that when you type in www.yahoo.com, your browser (Internet Explorer or Safari or Mozilla, etc.) asks the DNS server to tell it where www.yahoo.com really is. The DNS server looks at its table, matches www.yahoo.com to the address 206.190.60.37 and then tells the browser to ask that server for web pages. It works just like a giant phone book that matches Bob Smith with his phone number so you know what number to dial to talk to Bob.

Now, back to Typed URLs and why they are so pesky in this type of defense:

Just like the name implies, Typed URLs are the addresses that you the computer user types into that address box. Secretly in the background, Microsoft Windows records those in a place you can't see unless you know where to look.

When the computer hard drive is examined for evidence, that is one of the first places a forensics expert will look to see if the user was actually typing in addresses for bad sites.

But there is one way this can actually help you; if a Typed URL is a slight misspelling for a legitimate site that sent you to a porn site, then you have some evidence that can help you.

For a long time the address www.whitehouse.com was a major porn site. There is no telling the number of innocent people who went there looking for www.whitehouse.gov (the real address for The White House). Who knows how many elementary school kids got an eyeful trying to research their homework.

Another common trick of the porn industry and insidious web sites that like to infect your computer is the old misspelling trick. A lot of these have been shut down now thankfully. For instance, if you wanted to go to www.microsoft.com but you are a poor typist like me and tend to type in www.microfost.com, you would have gone to a porn trap site.

If these common misspellings or mis-addresses show up in your Typed URL records on the computer, you have some evidence that you did not intentionally go to a porn site.

Raising this as a defense is tricky and takes a considerable amount of skill to pull off. Not only technically, but also in front of a jury who will need a lot of verbal hand holding to understand it.

But no amount of skill or trickery will convince a jury of evidence you cannot prove. Like the Trojan Horse defense, this shifts the burden of proof from the prosecution and places it squarely on the shoulders of the defense.

There are other factors to consider as well in defending these cases, too many to go into here. But they all must be considered, weighed and presented to the defense attorney as part of the job of the forensics consultant.

No slight to attorneys in any way, but many of them are new to this type of evidence and the implications of same, and depend on the forensics consultant to make sure they understand what they have to work with and what the challenges will be in mounting such as defense from a technical standpoint. If there is one to mount at all.

No comments:

Post a Comment

I have moderated my comments due to spam.