Thursday, June 19, 2008

Child Porn: Why One Man's Innocence May Worry IT Managers

Computer security news out of Massachusetts this week could be a sign of big troubles to come for IT managers in enterprises, government agencies, and SMEs, in the U.S. and around the world. It's not a virus or worm or Trojan as such, although they may be involved. No, it's a case in which an innocent man lost his job and his reputation, and may now win a landmark suit against his former employer. Why? Because he was fired for having child pornography on his company laptop without adequate forensic evidence that he put it there.

The case of Michael Fiola could become a landmark of sorts, although some observers seem to have missed the point I'm going to make: Any employer considering taking action against an employee, based solely on what is 'found' on an employer-issued computer, must have solid forensic evidence to justify that action, and preferably be in a position to justify the action on additional, non-forensic grounds. Why? Because failure to do so could have serious consequences.

An employee may hire a forensic examiner of his own. And that examiner may determine, through a detailed analysis, that, as in the case of Mr. Fiola, the employee did not, as alleged, put the offending material on the computer. In other words, the 'mere' presence of child pornography on a computer does not prove an allegation that the user of that computer is a paedophile.

Now, I use the qualifier 'mere' with hesitation because I'm not suggesting that child pornography is anything other than the vile and execrable abomination which every decent person knows it to be. But the fact is, its presence on a Internet-connected computer is increasing beyond the control of the average computer operator. To say "I didn't put it there" or "I didn't know it was there" is no longer a blatantly transparent excuse. Mr. Fiola's poorly-configured, employer-issued laptop was performing all sorts of operations without his knowledge, accessing child porn sites being one of them.

And beware the temptation to smugly bluster that "He should have known," lest your computer be the next to undergo superficial analysis and ye be judged. How sure are you of the defenses you have installed on your system? And what about the obvious problems? A superficial analysis of the very laptop upon which I am writing this blog post could turn up objectionable photographs that I did not seek out. Anyone who runs Google Image Search with SafeSearch turned off will know that pornographic images sometimes appear as a result of quite innocent searches, and anyone who has a basic understanding of browser caches will know that the thumbnails displayed by Google in the results page are likely to linger on the hard drive for some time. Obviously, you need to go a little further than the mere presence of a file to make a judgement about how it got there.

Nevertheless, it might be a good idea for employers to require that SafeSearch is active on all company-issued laptops. And employers should already be taking steps to make sure their employees know the facts of temporary Internet file life. But should employers be held liable for failure to keep malware protection on a company-issued laptop up-to-date? That's a good question. However, the big question that this case raises for me is quite different: What are those IT managers who are responsible for forensic work performed on suspect employee systems doing to ensure that the quality of such work is high enough to justify claims of fact in a disciplinary action?

The bar for acceptable computer forensics has now been raised. To where, we don't yet know. But if Mr. Fiola files suit for wrongful dismissal and gets a judgment in his favor the case could establish an important precedent. And if it turns out the IT manager had signed off on the evidence against Mr. Fiola, the implications for IT managers will be significant to say the least. We may see several trends emerge. Employees may demand better security on company laptops. IT managers may demand more resources for forensics, or refuse to sign off on investigations without some form of immunity.

No comments:

Post a Comment